Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cdk bootstrap --trust): (faild to rebootrap with another trusted account: not authorized to perform API: iam:UpdateAssumeRolePolicyDocument) #26399

Closed
rnlduaeo opened this issue Jul 18, 2023 · 2 comments
Closed

(cdk bootstrap --trust): (faild to rebootrap with another trusted account: not authorized to perform API: iam:UpdateAssumeRolePolicyDocument) #26399

rnlduaeo opened this issue Jul 18, 2023 · 2 comments
Labels
bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. package/tools Related to AWS CDK Tools or CLI response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@rnlduaeo
Copy link

Describe the bug

For s3 cross account replication, we bootstrapped destination account with below command. And it worked
cdk bootstrap --trust {1-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination

We have 6 source accounts that need to be replicated from, so I tried to rebootrapped with same command by replacing {sourceAccountId} curly brace.
cdk bootstrap --trust {2-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination

And I got below error.
`buntu@ip-10-210-36-97:~$ cdk bootstrap --trust <2-sourceAccountId> --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws:///eu-central-1
⏳ Bootstrapping environment aws:///eu-central-1...
Trusted accounts for deployment:
Trusted accounts for lookup: (none)
Execution policies: arn:aws:iam::aws:policy/AdministratorAccess
CDKToolkit: creating CloudFormation changeset...
8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | FilePublishingRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-file-publishing-role--eu-central-1 with an explicit deny in a permissions boundary

8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | ImagePublishingRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-image-publishing-role--eu-central-1 with an explicit deny in a permissions boundary

8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | LookupRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-lookup-role--eu-central-1 with an explicit deny in a permissions boundary

8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | DeploymentActionRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-deploy-role--eu-central-1 with an explicit deny in a permissions boundary

❌ Environment aws:///eu-central-1 failed bootstrapping: Error: The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: API: iam:UpdateAssumeRolePolicyDocument U
ser: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-file-publi
shing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-image-publishing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-lookup-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User:arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-deploy-role--eu-central-1 with an explicit deny in a permissions boundary
at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:412:10236)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:417:2104
at async Promise.all (index 0)
at async CdkToolkit.bootstrap (/usr/local/lib/node_modules/aws-cdk/lib/index.js:417:1949)
at async exec4 (/usr/local/lib/node_modules/aws-cdk/lib/index.js:490:52657)

The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-file-publishing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-image-publishing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-lookup-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-deploy-role--eu-central-1 with an explicit deny in a permissions boundary`

Expected Behavior

cdk should be able to add additional account to trust relationship in above 5 roles to enable that account to execute cloudformation.

Current Behavior

throws an error..
My workaround is to delete CDKToolkit cloudformation stack, corresponding s3 bucket and reboostrap with another sourceAccountId. It worked. However, do I need to do this manual stuff for other 6 source accounts?

Reproduction Steps

Run following command.
cdk bootstrap --trust {1-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination

And run following command again with different source accountId.
cdk bootstrap --trust {2-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.81.0

Framework Version

No response

Node.js Version

v16.13.1

OS

mac, linux

Language

Typescript

Language Version

No response

Other information

No response
@rnlduaeo rnlduaeo added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 18, 2023
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Jul 18, 2023
@indrora indrora added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 19, 2023
@indrora
Copy link
Contributor

indrora commented Jul 19, 2023

  • You can pass multiple account IDs through --trust (see customizing bootstrapping) that will be added to the trusted deployment accounts.
  • You do not have to manually pass the AdministratorAccess role policy to the bootstrapper -- it will add this on its own.
  • It appears that the role that you are using to do the deployment is able to create, but not update, the required resources here. Are you sure you can call iam:UpdateAssumeRolePolicy from that account? On that resource? Verify your IAM credentials allow you to make this action.

@indrora indrora added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed p1 labels Jul 19, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jul 22, 2023
@github-actions github-actions bot mentioned this issue Aug 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. package/tools Related to AWS CDK Tools or CLI response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@indrora @rnlduaeo