(cdk bootstrap --trust): (faild to rebootrap with another trusted account: not authorized to perform API: iam:UpdateAssumeRolePolicyDocument) #26399
Labels
bug
This issue is a bug.
closed-for-staleness
This issue was automatically closed because it hadn't received any attention in a while.
package/tools
Related to AWS CDK Tools or CLI
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Describe the bug
For s3 cross account replication, we bootstrapped destination account with below command. And it worked
cdk bootstrap --trust {1-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination
We have 6 source accounts that need to be replicated from, so I tried to rebootrapped with same command by replacing {sourceAccountId} curly brace.
cdk bootstrap --trust {2-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination
And I got below error.
`buntu@ip-10-210-36-97:~$ cdk bootstrap --trust <2-sourceAccountId> --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws:///eu-central-1
⏳ Bootstrapping environment aws:///eu-central-1...
Trusted accounts for deployment:
Trusted accounts for lookup: (none)
Execution policies: arn:aws:iam::aws:policy/AdministratorAccess
CDKToolkit: creating CloudFormation changeset...
8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | FilePublishingRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-file-publishing-role--eu-central-1 with an explicit deny in a permissions boundary
8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | ImagePublishingRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-image-publishing-role--eu-central-1 with an explicit deny in a permissions boundary
8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | LookupRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-lookup-role--eu-central-1 with an explicit deny in a permissions boundary
8:49:54 AM | UPDATE_FAILED | AWS::IAM::Role | DeploymentActionRole
API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy
on resource: role cdk-hnb659fds-deploy-role--eu-central-1 with an explicit deny in a permissions boundary
❌ Environment aws:///eu-central-1 failed bootstrapping: Error: The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: API: iam:UpdateAssumeRolePolicyDocument U
ser: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-file-publi
shing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-image-publishing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-lookup-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User:arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-deploy-role--eu-central-1 with an explicit deny in a permissions boundary
at FullCloudFormationDeployment.monitorDeployment (/usr/local/lib/node_modules/aws-cdk/lib/index.js:412:10236)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async /usr/local/lib/node_modules/aws-cdk/lib/index.js:417:2104
at async Promise.all (index 0)
at async CdkToolkit.bootstrap (/usr/local/lib/node_modules/aws-cdk/lib/index.js:417:1949)
at async exec4 (/usr/local/lib/node_modules/aws-cdk/lib/index.js:490:52657)
The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-file-publishing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-image-publishing-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-lookup-role--eu-central-1 with an explicit deny in a permissions boundary, API: iam:UpdateAssumeRolePolicyDocument User: arn:aws:sts:::assumed-role/VXT_SRE_BASTION_HOST_ROLE/i-0c12e1c42d8fc7646 is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role cdk-hnb659fds-deploy-role--eu-central-1 with an explicit deny in a permissions boundary`
Expected Behavior
cdk should be able to add additional account to trust relationship in above 5 roles to enable that account to execute cloudformation.
Current Behavior
throws an error..
My workaround is to delete CDKToolkit cloudformation stack, corresponding s3 bucket and reboostrap with another sourceAccountId. It worked. However, do I need to do this manual stuff for other 6 source accounts?
Reproduction Steps
Run following command.
cdk bootstrap --trust {1-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination
And run following command again with different source accountId.
cdk bootstrap --trust {2-sourceAccountId} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{destinationAccountId}/{destinationRegion} --profile destination
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.81.0
Framework Version
No response
Node.js Version
v16.13.1
OS
mac, linux
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: