(pipelines): (Could not assume role in target account using current credentials) #29479
Labels
@aws-cdk/pipelines
CDK Pipelines library
bug
This issue is a bug.
needs-reproduction
This issue needs reproduction.
p2
Describe the bug
My pipeline has a dedicated AWS account (accountA) while deployed resources have a dedicated AWS account (accountB). Up to this point, the pipeline was working properly. Adding a LambdaInvoke step to invoke a lambda in the account-b (cross-account) caused a problem in the pipeline.
Expected Behavior
Pipeline works
Current Behavior
In the update pipeline, the self-mutate task, I am encountering the following error:
Error: Could not assume role in target account using current credentials (which are for account ACCOUNT-A) User: arn:aws:sts::ACCOUNT-A:assumed-role/RolePipeline/AWSCodeBuild-XXXX is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNT-B:role/cdk-hnb659fds-deploy-role-ACCOUNTB-eu-west-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Reproduction Steps
I added this construct to my pipeline
Possible Solution
I've seen the similar issue #19686, but I don't think it's a lookup problem. I tried to insert the tag lookup and run cdk synth, but I don't have any cdk.context.json.
Maybe it's a misconfiguration problem. Can you help me?
Additional Information/Context
I deployed the pipeline using AWS cli to force an update, but it still isn't working.
I added trust relationship to account B lambda for account A.
CDK CLI Version
2.118.0
Framework Version
projen 0.79.10
Node.js Version
v18.18.2
OS
WSL Ubuntu
Language
TypeScript
Language Version
TypeScript
Other information
No response
The text was updated successfully, but these errors were encountered: