-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(pipelines): could not assume role in another account #19686
Comments
You probably added code which requires a context lookup, without commiting the corresponding update to CDK will then try and do the lookup at build time.
|
|
Would you be able to elaborate here a little as the docs seem a bit confusing to me. We have hit this issue when using cdk pipelines as we are trying to reference a target bucket in another account from the pipeline account to deploy a react app into it. I don't understand these sentences from that link: "This will make sure your synthesized infrastructure is consistent and repeatable. If you do not commit cdk.context.json, the results of the lookups may suddenly be different in unexpected ways, and even produce results that cannot be deployed or will cause data loss. " ... "If you want to use lookups directly from the pipeline, you either need to accept the risk of nondeterminism, or make sure you save and load the cdk.context.json file somewhere between synth runs. " What is nondeterminism and why would things be changing in unexpected ways if they were looked up at runtime in the deployment pipeline? If I added the permissions in the role as the op did so that it could look up the bucket, could you give me an example of how it might go wrong in unexpected ways? |
Describe the bug
I have a dedicated AWS account for running pipeline (let's call it
account-1
) and another AWS account where all resources being deployed by pipeline (account-2
).Everything worked just perfectly till today: I added a new stack to be deployed to
account-2
and pushed changes to remote git repo.Expected Behavior
A new stack is deployed successfully to
account-2
via CodePipeline. No errors in pipeline shown.Current Behavior
The
Build
step of CodePipeline started failing with the following error:Reproduction Steps
Possible Solution
I went to
arn:aws:sts::account-1:assumed-role/PipelineStack-AppNamePipelineBuil-XXXXXXX
role and edited it manually by addingAssumeRole
onarn:aws:iam::account-2:role/cdk-xxxx-lookup-role-account-2-us-west-2
. After that pipeline has completed successfully.Although I don't feel like I should have done manual update of the role. All the necessary permissions should be granted automatically when running
cdk bootstrap
Additional Information/Context
I tried re-running
cdk bootstrap
(although I did this already when initially deploying the pipeline):But it didn't help.
CDK CLI Version
2.18.0
Framework Version
No response
Node.js Version
17.7.1
OS
MacOS
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: