AWS CDK deploy using role

Question

You can find the cdk app that you can use to replicate my issue here varvay/issue-replication.git . The usage instruction explained in the README

I need to deploy CDK app using a role by issuing this command

cdk -r arn:aws:iam::000000000000:role/fooRole deploy

but then an error thrown

Assuming role failed: User: arn:aws:iam::000000000000:user/fooUser is not authorized to 
perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/barRole

to be sure, I tried to simulate it by assuming the arn:aws:iam::000000000000:role/barRole role using arn:aws:iam::000000000000:role/fooRole in AWS IAM Policy Simulator and it works just fine. One thing that bothers me is that the error said that a User tried to assume the role, not Role .

Why is that? or should I assume the fooRole , update the AWS-related environment variable and then deploy? if so then what's the point of having -r option on cdk

as additional information, here's the trust relationship of the barRole

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: 000000000000:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

also I even tried to attach AdministratorAccess AWS managed policy to the fooRole used to deploy

Answer 1

So there are 2 ways you might be running cdk deploy command from.

1- You're running this command from your local computer's CLI using IAM keys. In this case, this role must be assumable by the AWS account (IAM User) being used.

2- You're running this command from any AWS service (cicd agent on EC2 instance for eg:) then the role attached with the instance should be allowed to assume this deployment role.

mention how you're running this command and you might get a better answer.

UPDATE: Based on the updated question:

Add assume role part in your IAM USER not your deployment role. Your IAM User from which you're trying to deploy should be allowed to assume the role through which the CDK will be deployed.

To diagramise it a bit:

(IAM-USER -> Assume -> Role) -> cdk deploy

Answer 2

The error is in the process of cross account role accessing, as is written in your error message.

I assume that you start with AWS configuration for one account, lets call it "Provisioning" and then you need to assume role in different account (dev or prod) depending on branches or something ?

I smell an error in setup of cross account roles. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

One possibility is : the Rolle you want to assume, does not have your provisioning account as trusted entity.

Another is : the user which is trying to assume the role, does not have the policy for that.

Just follow the tutorial from AWS and see what is missing in your setup :)

Answer 3

I managed to fulfill my needs by creating a bash script to switch to the destination role and use the credential to perform the CDK command as the script written below,

#!/bin/bash
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

AWS_CREDENTIAL=$(aws sts assume-role \
--role-arn <destination role ARN> \
--role-session-name <role session name> \
--duration-seconds 3600)

export AWS_ACCESS_KEY_ID=$(echo $AWS_CREDENTIAL \
| jq -r '.Credentials''.AccessKeyId')

export AWS_SECRET_ACCESS_KEY=$(echo $AWS_CREDENTIAL \
| jq -r '.Credentials''.SecretAccessKey')

export AWS_SESSION_TOKEN=$(echo $AWS_CREDENTIAL \
| jq -r '.Credentials''.SessionToken')

cdk deploy

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN