stackoom
  简体   繁体   中英

How to deploy CDK with AWS role from Jenkins?

 原文  2020-01-16 08:39:28       amazon-web-services/ jenkins/ amazon-cloudformation/ aws-cdk

Question

Hi I have created CDK project with jenkins. I want to deploy with role. For example cdk deploy with role. For example In cloudformation I was doing like below.

cfn_manage deploy-stack \
  --stack-name "$CFN_CDK_STACK" \
  --template-file "cloudformation/templates/cdk.yml" \
  --parameters-file "$PARAMS_FILE" \
  --role-name infra-cfnrole-location-nonprivileged

Now I have CDK project as below.

checkout scm
              withCredentials([[$class: 'AmazonWebServicesCredentialsBinding',credentialsId: "${env.PROJECT_ID}-aws-${CFN_ENVIRONMENT}"]]) {
                abc = docker.build('cdkimage', "--build-arg http_proxy=${env.http_proxy} --build-arg https_proxy=${env.https_proxy} .")
                abc.inside{
                sh 'ls -la'
                sh "bash ./scripts/build.sh"
              }

Then inside build.sh

NONPRIV_ROLE_NAME='infra-cfnrole-location-nonprivileged'
aws sts assume-role --role-arn 'arn:aws:iam::id:role/infra-cfnrole-location-nonprivileged' --role-session-name jenkins --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text
cdk synth
cdk deploy

This is throwing error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::id:user/infra-prjauth-location is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::187628286232:role/infra-cfnrole-location-nonprivileged

For the role cfnrole-location-nonprivileged in trusted relationships I have below policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Can someone help me to deploy with role? Any help would be appreciated. Thanks

1 answers

solution1
 0  2020-01-16 09:10:20

I think the issue is that you haven't specifically trusted your IAM User in the IAM Role's trusted relationships.

Assuming that this role has the correct permissions needed for a CDK deploy (see here for more info on that), you need to allow your IAM user to access the role, not cloudformation . Cloudformation already has access to your account resources.

I think this version of the trusted relationships policy should do the trick:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "<full ARN of the relevant user>",
      "Action": "sts:AssumeRole"
    }
  ]
}

Let me know if it works!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CDK deploy using role How to use aws role arn in cdk deploy command AWS CDK: how to deploy resources to different accounts? How to deploy AWS CDK stacks to multiple accounts? How to deploy AWS CDK app multiple times? How to deploy aws EventBridge with CDK - Python example How to deploy AWS using CDK, sagemaker? How to form cloud formation template without cdk synt and cdk deploy in AWS-CDK app? How to extend AWS CDK with non AWS Resources during deploy How to build with jenkins and deploy on aws?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM