Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cli): Watch mode doesn't assume-role for cross-account deploys #20878

Open
mikestopcontinues opened this issue Jun 26, 2022 · 3 comments
Open

(cli): Watch mode doesn't assume-role for cross-account deploys #20878

mikestopcontinues opened this issue Jun 26, 2022 · 3 comments
Labels
effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. hotswap p2 package/tools Related to AWS CDK Tools or CLI

Comments

@mikestopcontinues
Copy link

Describe the bug

Simply adding --watch breaks cross-account deploys.

Expected Behavior

🚀

Current Behavior

❌  SomeStack failed: Error: Need to perform AWS calls for account 000000000000, but the current credentials are for 111111111111

Reproduction Steps

Take any cross-account deploy and try to watch for changes. I reproduced the effect in two projects.

Possible Solution

My only guess is that it was simply forgotten in the watch implementation. Or that it was excluded for speed?

Additional Information/Context

Thanks!

CDK CLI Version

2.29.1

Framework Version

No response

Node.js Version

16.x

OS

OSX 12.3.1

Language

Typescript

Language Version

No response

Other information

No response
@mikestopcontinues mikestopcontinues added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 26, 2022
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Jun 26, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Jul 7, 2022

I think you are right (this is actually not about --watch but about --hotswap, although one implies the other), and if I recall correctly this was an intentional omission of the cdk watch MVP launch (though I see it currently goes undocumented).

The reason is that the bootstrap roles are laid out as follows:

  • deploy-role
    • can be assumed by the CLI
    • allowed to call cloudformation:CreateChangeSet (only)
  • cfn-exec-role
    • can be assumed by CloudFormation (and only by CloudFormation)
    • allowed to call lambda:UpdateFunctionCode

To do a --hotswap deployment however, we need a role that:

  • Can be assumed by the CLI
  • Can call lambda:UpdateFunctionCode

And there is currently no such role.

I will update the documentation to document this limitation. It's a somewhat significant engineering project to fix this, so don't count on it any time soon.

In the mean time, I would suggest you get the target account credentials directly and invoke the CLI with the credentials in the shell.

@rix0rrr rix0rrr added effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. p1 and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 7, 2022
@rix0rrr rix0rrr removed their assignment Jul 7, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Jul 7, 2022

It was in fact documented already: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/README.md#hotswap-deployments-for-faster-development

@mikestopcontinues
Copy link
Author

Good to know! I wish there was a single spot for documentation. I live in the API docs and the AWS docs. You don't typically find projects with an official doc site where the readme has anything of interest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
effort/large Large work item – several weeks of effort feature-request A feature should be added or improved. hotswap p2 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikestopcontinues @rix0rrr @TheRealAmazonKendra