Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(pipelines): (Could not assume role in target account using current credentials) #29479

Closed
cpalessio96 opened this issue Mar 14, 2024 · 4 comments
Closed

(pipelines): (Could not assume role in target account using current credentials) #29479

cpalessio96 opened this issue Mar 14, 2024 · 4 comments
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@cpalessio96
Copy link

Describe the bug

My pipeline has a dedicated AWS account (accountA) while deployed resources have a dedicated AWS account (accountB). Up to this point, the pipeline was working properly. Adding a LambdaInvoke step to invoke a lambda in the account-b (cross-account) caused a problem in the pipeline.

Expected Behavior

Pipeline works

Current Behavior

In the update pipeline, the self-mutate task, I am encountering the following error:
Error: Could not assume role in target account using current credentials (which are for account ACCOUNT-A) User: arn:aws:sts::ACCOUNT-A:assumed-role/RolePipeline/AWSCodeBuild-XXXX is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNT-B:role/cdk-hnb659fds-deploy-role-ACCOUNTB-eu-west-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

Reproduction Steps

I added this construct to my pipeline

const lambdaAction = new codePipelinesAction.LambdaInvokeAction({
      actionName: "InvalidateCloudFront",
      lambda: lambda.Function.fromFunctionArn(
        this,
        "invokeCloudFront-lambda",
        stackParams.invalidateCloudfrontLambda,
      ),
      userParametersString: stackParams.cloudfrontDistributionId,
    });

Possible Solution

I've seen the similar issue #19686, but I don't think it's a lookup problem. I tried to insert the tag lookup and run cdk synth, but I don't have any cdk.context.json.

Maybe it's a misconfiguration problem. Can you help me?

Additional Information/Context

I deployed the pipeline using AWS cli to force an update, but it still isn't working.
I added trust relationship to account B lambda for account A.

CDK CLI Version

2.118.0

Framework Version

projen 0.79.10

Node.js Version

v18.18.2

OS

WSL Ubuntu

Language

TypeScript

Language Version

TypeScript

Other information

No response
@cpalessio96 cpalessio96 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 14, 2024
@github-actions github-actions bot added the @aws-cdk/pipelines CDK Pipelines library label Mar 14, 2024
@pahud
Copy link
Contributor

pahud commented Mar 15, 2024

Error: Could not assume role in target account using current credentials (which are for account ACCOUNT-A) User: arn:aws:sts::ACCOUNT-A:assumed-role/RolePipeline/AWSCodeBuild-XXXX is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNT-B:role/cdk-hnb659fds-deploy-role-ACCOUNTB-eu-west-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

Looks like your pipeline role was trying to assume the deploy-role of account B for some reason.

Are you able to provide a minimal code snippet including the pipeline construct that we can reproduce it and see what's happening in our account?

@pahud pahud added p2 needs-reproduction This issue needs reproduction. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 15, 2024
@cpalessio96
Copy link
Author

i have an update, we resolve this with the following selfMutationCodeBuildDefaults

{
        rolePolicy: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["sts:AssumeRole"],
            resources: ["*"],
            conditions: {
              StringEquals: {
                "iam:ResourceTag/aws-cdk:bootstrap-role": [
                  "deploy",
                  "file-publishing",
                ],
              },
            },
          }),
        ],
      }

the pipeline now is this:

new pipelines.CodePipeline(this, "pipeline", {
      pipelineName: `${name}-${props.stage}`,
      dockerEnabledForSynth: true,
      crossAccountKeys: true,
      synth: new pipelines.CodeBuildStep("synth", {
        input: repoBackendSource,
        commands: [
          "npm ci",
          `npx cdk synth -v ${namePipeline}`,
        ],
      }),
      selfMutationCodeBuildDefaults: {
        rolePolicy: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["sts:AssumeRole"],
            resources: ["*"],
            conditions: {
              StringEquals: {
                "iam:ResourceTag/aws-cdk:bootstrap-role": [
                  "deploy",
                  "file-publishing",
                ],
              },
            },
          }),
        ],
      },
    });

We use pipelines in aws-cdk-lib

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 16, 2024
@github-actions github-actions bot mentioned this issue Mar 18, 2024
Closed
@github-actions github-actions bot mentioned this issue Apr 1, 2024
Closed
@pahud
Copy link
Contributor

pahud commented Aug 13, 2024

Generally,

If your pipeline account A is trying to deploy resource on account B, you need to cdk bootstrap account B with --trust on account A so account A would be able to assume the deploy-role on account B.

  1. Can you show me the full command you cdk bootstrap account B?
  2. Can you show me the IAM trust policy of the role arn:aws:iam::ACCOUNT-B:role/cdk-hnb659fds-deploy-role-ACCOUNTB-eu-west-1?

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-reproduction This issue needs reproduction. labels Aug 13, 2024
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @cpalessio96