(cli): cdk diff cdk-assume-role-credential-plugin auth issue introduced in v1.75.0 #11792
Comments
scarytom
added
bug
SomayaB
changed the title
|
Ran into this same problem with 1.75.0 and the What seems to trigger it for me is cross account deployment. If I stick to the same account as my AWS profile, it works, but once I include dependent stacks that goes cross account, it fails to assume the role (whereas it worked before). |
|
Reading through the 1.75.0 release notes, the #11350 PR looks like it could have introduced the change that is causing the problem. If I had to guess, it might be due to the change to |
|
I have hit this problem today as well, Anyone found a workaround to this problem? |
|
To all in this thread, I want to stress that cdk-assume-role-credential-plugin is not a recommended plugin to assume roles created by If CDK's built-in auth mechanisms are not always working (such as there being a mismatch between I will describe the flow the auth system goes through, and then you can decide how to set up your auth. You see the credential provider mechanism and the modern bootstrapping/stack synthesis are trying to solve the same problem, and thereby stepping on each other's toes. |
|
@scarytom I'm suprised the behavior between Would you mind running both with |
rix0rrr
added
the
response-requested
Prior to #11350 the prior to #11350 |
|
@rix0rrr thanks for your detailed response. I'm trying to get my head around what you are saying. Take, for example, the second path you describe:
I tried setting my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to credentials in my auth account for a user that has permission to assume the deploy role in the target account. When I run cdk diff, I just get the following output: Doesn't this show that the cli doesn't just use the available creds to assume into |
|
I think the logic for the case where no credential providers are provided is also to strict as the current credential check explicitly matches the account you are deploying / diffing into Also look forward to moving forward without the |
|
@rix0rrr If I read your description of the cdk auth system flow correctly, then the correct way to do this is to have another role in the target account that the cdk-assume-role-credential-plugin is configured to assume before cdk takes over and assumes the appropriate bootstrap roles? If so, what bootstrap roles does this role need to be able to assume, just the cdk-xxx-deploy role, or does it need to be able to assume the cfn-exec or publishing roles too? I believe that I must still use the cdk-assume-role-credential-plugin if my user is in a different account to the target account. Please correct me if there is a way to avoid using the plugin in this scenario. Thanks again. |
github-actions
bot
removed
the
response-requested
CDK bootstrap doesn't create such role yet. New role has to be created for plugin to work, this role permissions should allow it to:
I was able to successfully use plugin to do cross account
|
|
Just wanted to chime in and +1 this comment: #11792 (comment) This is the only reason why I use the I configure the plugin to just use the bootstrap role in And this basically allowed me to get past the I did also try the new Any recommendations on how to get CDK to just attempt to assume the new bootstrap roles vs doing the account ID checking? Right now, it only seems possible with this plugin. |
Well, it was somewhat. The point is that:
You would then completely forego the |
The design goal is that you don't have to. It might be that we broke that though, which your previous comment also seems to indicate. I'll try to confirm. |
|
Ah, yep. Can reproduce. |
This addresses a regression introduced in #11350 and reported in #11792. The original PR added support for using a credential provider as a source for credentials that will be used to assume the CDK Deploy Roles (created by Modern Bootstrapping and used by Default Synthesis). However, by doing so, it broke support for using current AWS credentials to do the same. Closes #11792.
This addresses a regression introduced in #11350 and reported in #11792. The original PR added support for using a credential provider as a source for credentials that will be used to assume the CDK Deploy Roles (created by Modern Bootstrapping and used by Default Synthesis). However, by doing so, it broke support for using current AWS credentials to do the same. ## Original Behavior - In case of legacy stack, use "current credentials" if they are for the right account, otherwise ask credential provider plugins, fail if current credentials are for the wrong account - In case of DefaultSynthesized stack, always use "current credentials" to assume role ## Broken Behavior - In case of legacy stack, use "current credentials" if they are for the right account, otherwise ask credential provider plugins for credentials to the target account, fail if current credentials are for the wrong account - In case of DefaultSynthesized stack, - Use "current credentials" if they are for the right account, otherwise ask credential provider plugins for credentials to the target account, fail if current credentials are for the wrong account (reusing the logic from legacy stacks) - Then assume role using credentials obtained in the previous step The reuse of the same "credential obtaining" logic here broke cross-account role assumption, because we'd fail as soon as the current credentials would be for the wrong account instead of still trying to use them for AssumeRole. ## New Behavior - Try to get "base credentials" for a target environment: - Use "current credentials" if they are for the right account - Ask credential provider plugins - Use "current credentials" if they are for the wrong account (but remember that they were wrong) - In case of a legacy stack: - If the credentials are for the wrong account, fail - In case of a DefaultSynthesized stack: - Use the set of "base credentials" to try to assume the target role - If that succeeds, we're done - (Fallback) If it fails and the base credentials were already for the right account, use them after all. This fallback will allow people already using credential plugins to keep on using them, even when interoperating with DefaultSynthesized stacks. It will also allow people who seed their terminal with "ReadOnly" credentials (which might not have `sts:AssumeRole` permissions) to still run `cdk diff` as in the past. ## Changes to tests There has been a major refactoring of the tests around this. The current way of testing (mocking some calls left and right) was completely insufficient to test these mechanisms properly. I've therefore resorted to implementing a fake, in-memory version of STS's `GetCallerIdentity` and `AssumeRole`, and using the testing library `nock` to redirect network calls to that in-memory service. This will allow us to test the entire chain from our code down to and including the SDK's behavior, and make sure the right behavior happens without worrying about exact call orders. At the same time, the single gigantic test fixture (with the `~/.aws/credentials` and `~/.aws/config` files) was becoming rather cumbersome. Instead, each test now includes just the one or two profile sections it uses, and a helper function creates both the config files as well as immediately creates those users in-memory in the fake STS service. Closes #11792. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This addresses a regression introduced in aws#11350 and reported in aws#11792. The original PR added support for using a credential provider as a source for credentials that will be used to assume the CDK Deploy Roles (created by Modern Bootstrapping and used by Default Synthesis). However, by doing so, it broke support for using current AWS credentials to do the same. ## Original Behavior - In case of legacy stack, use "current credentials" if they are for the right account, otherwise ask credential provider plugins, fail if current credentials are for the wrong account - In case of DefaultSynthesized stack, always use "current credentials" to assume role ## Broken Behavior - In case of legacy stack, use "current credentials" if they are for the right account, otherwise ask credential provider plugins for credentials to the target account, fail if current credentials are for the wrong account - In case of DefaultSynthesized stack, - Use "current credentials" if they are for the right account, otherwise ask credential provider plugins for credentials to the target account, fail if current credentials are for the wrong account (reusing the logic from legacy stacks) - Then assume role using credentials obtained in the previous step The reuse of the same "credential obtaining" logic here broke cross-account role assumption, because we'd fail as soon as the current credentials would be for the wrong account instead of still trying to use them for AssumeRole. ## New Behavior - Try to get "base credentials" for a target environment: - Use "current credentials" if they are for the right account - Ask credential provider plugins - Use "current credentials" if they are for the wrong account (but remember that they were wrong) - In case of a legacy stack: - If the credentials are for the wrong account, fail - In case of a DefaultSynthesized stack: - Use the set of "base credentials" to try to assume the target role - If that succeeds, we're done - (Fallback) If it fails and the base credentials were already for the right account, use them after all. This fallback will allow people already using credential plugins to keep on using them, even when interoperating with DefaultSynthesized stacks. It will also allow people who seed their terminal with "ReadOnly" credentials (which might not have `sts:AssumeRole` permissions) to still run `cdk diff` as in the past. ## Changes to tests There has been a major refactoring of the tests around this. The current way of testing (mocking some calls left and right) was completely insufficient to test these mechanisms properly. I've therefore resorted to implementing a fake, in-memory version of STS's `GetCallerIdentity` and `AssumeRole`, and using the testing library `nock` to redirect network calls to that in-memory service. This will allow us to test the entire chain from our code down to and including the SDK's behavior, and make sure the right behavior happens without worrying about exact call orders. At the same time, the single gigantic test fixture (with the `~/.aws/credentials` and `~/.aws/config` files) was becoming rather cumbersome. Instead, each test now includes just the one or two profile sections it uses, and a helper function creates both the config files as well as immediately creates those users in-memory in the fake STS service. Closes aws#11792. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I recently upgraded from v1.74.0 to v1.75.0, and our cdk diff started failing with the an auth error. We use the cdk-assume-role-credential-plugin to allow cdk to run via a user in our central authentication account.
Strangely, cdk deploy works fine, so this only affects cdk diff.
Reproduction Steps
We bootstrap our account using the CloudFormation template (https://raw.githubusercontent.com/aws/aws-cdk/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml) with the following params:
"TrustedAccounts": "our auth account id",
"Qualifier": "infra",
"CloudFormationExecutionPolicies": "arn:aws:iam::aws:policy/AdministratorAccess"
What did you expect to happen?
cdk diff should output differences between the stack definitions and the current deployed stacks.
What actually happened?
We get the following error message:
Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): User: arn:aws:sts::676932xxxxxx:assumed-role/cdk-infra-deploy-role-676932xxxxxx-us-east-1/676932xxxxxx-0-session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::676932xxxxxx:role/cdk-infra-deploy-role-676932xxxxxx-us-east-1
Environment
We run our CDK in the following docker container, if that helps at all:
https://hub.docker.com/repository/docker/strategicblue/cdk
Other
The failure message is weird, because it suggests that cdk has already assumed the correct role in the target account, but is then trying to assume the role again, and that role doesn't have sts permissions to assume itself, so that fails.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: