peterwoodworth
commented
1 year ago From the error message it looks like you're not an admin, but rather User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation.
Closed c0debreaker closed 1 year ago
peterwoodworth
commented
1 year ago From the error message it looks like you're not an admin, but rather User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation.
peterwoodworth
commented
1 year ago Actually, are you a root user, or are you an IAM user with admin perms?
c0debreaker
commented
1 year ago Actually, are you a root user, or are you an IAM user with admin perms?The latter. I am AD SSO authenticated with full admin permissions.
However, I found out that there is a role being used when I run cdk bootstrap. It was using a role called cdk-toolkit. I added the missing permissions one by one until I was able to successfully deploy the resource.
What's still a mystery to me is that why and how is it using cdk-toolkit IAM role? I didn't specify it in the command line nor I found it in my code. Does cdk tool use that by default?
peterwoodworth
commented
1 year ago I've never seen this role before, and I can't find any references to it in our code or documentation. It's weird that it's throwing a is not authorized to perform here multiple times on different resources, I am not sure I've seen that occur during CloudFormation deployment before. I'll check to see if anyone else has seen this
peterwoodworth
commented
1 year ago @c0debreaker I have a few questions.
aws sts get-caller-identity is what you expect, and then run cdk bootstrap -v and post the output?cdk bootstrap aws://<ACCOUNT_ID>/<REGION> -v and posting the output
github-actions[bot]
commented
1 year ago This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
fidothe
commented
2 months ago This is happening to me now, with the same role errors reported by the original reporter, but without the cdk-toolkit role.
I'm using a user created with IAM Identity Center that has the standard arn:aws:iam::aws:policy/AdministratorAccess policy attached to its permission set.
To address @peterwoodworth's last set of questions:
Can you verify if this role is in IAM in your account? Could you verify that the output of aws sts get-caller-identity is what you expect,
The role reported by aws sts get-caller-identity seems like the correct one, but obviously there's a degree of indirection from the role assumption. It looks legit, though.
Are you running this command within the context of a CDK app? If you're running this within the context of a CDK app, try moving outside of a CDK app and then running cdk bootstrap aws://
/ -v and posting the output
I was. I have also tried running with the explicit aws://... URL and the results were the same.
Here's the output from cdk bootstrap -v
This is with node 22.7.0 and aws-cdk 2.155.0
⏳ Bootstrapping environment aws://341538367464/eu-west-2...
[22:02:16] Waiting for stack CDKToolkit to finish creating or updating...
[22:02:16] Call failed: describeStacks({"StackName":"CDKToolkit"}) => Stack with id CDKToolkit does not exist (code=ValidationError)
[22:02:16] Stack CDKToolkit does not exist
[22:02:16] The environment aws://341538367464/eu-west-2 doesn't have the CDK toolkit stack (CDKToolkit) installed. Use cdk bootstrap "aws://341538367464/eu-west-2" to setup your environment for use with the toolkit.
[22:02:16] Retrieved account ID 341538367464 from disk cache
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
[22:02:16] Call failed: describeStacks({"StackName":"CDKToolkit"}) => Stack with id CDKToolkit does not exist (code=ValidationError)
[22:02:16] CDKToolkit: checking if we can skip deploy
[22:02:16] CDKToolkit: no existing stack
[22:02:16] CDKToolkit: deploying...
[22:02:16] Attempting to create ChangeSet with name cdk-deploy-change-set to create stack CDKToolkit
CDKToolkit: creating CloudFormation changeset...
[22:02:16] Initiated creation of changeset: arn:aws:cloudformation:eu-west-2:341538367464:changeSet/cdk-deploy-change-set/11e433a0-e620-4834-9c77-7d1653c6943a; waiting for it to finish creating...
[22:02:16] Waiting for changeset cdk-deploy-change-set on stack CDKToolkit to finish creating...
[22:02:16] Changeset cdk-deploy-change-set on stack CDKToolkit is still creating
[22:02:22] Initiating execution of changeset arn:aws:cloudformation:eu-west-2:341538367464:changeSet/cdk-deploy-change-set/11e433a0-e620-4834-9c77-7d1653c6943a on stack CDKToolkit
[22:02:22] Execution of changeset arn:aws:cloudformation:eu-west-2:341538367464:changeSet/cdk-deploy-change-set/11e433a0-e620-4834-9c77-7d1653c6943a on stack CDKToolkit has started; waiting for the update to complete...
[22:02:22] Waiting for stack CDKToolkit to finish creating or updating...
[22:02:22] Stack CDKToolkit has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS (User Initiated))
[22:02:27] Stack CDKToolkit has an ongoing operation in progress and is not stable (ROLLBACK_IN_PROGRESS)
CDKToolkit | 0/12 | 22:02:16 | REVIEW_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit User Initiated
CDKToolkit | 0/12 | 22:02:22 | CREATE_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit User Initiated
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::ECR::Repository | ContainerAssetsRepository
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::S3::Bucket | StagingBucket
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::SSM::Parameter | CdkBootstrapVersion
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::IAM::Role | LookupRole
CDKToolkit | 0/12 | 22:02:24 | CREATE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | LookupRole Failed to check if policy already exists due to lack of getRolePolicy permission, you might be overriding or adopting an existing policy on this Role
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole Resource creation Initiated
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::ECR::Repository | ContainerAssetsRepository Resource creation Initiated
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::SSM::Parameter | CdkBootstrapVersion Resource creation Initiated
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole Resource creation Initiated
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole Resource creation Initiated
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)
CDKToolkit | 0/12 | 22:02:25 | CREATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)
CDKToolkit | 0/12 | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied)
CDKToolkit | 1/12 | 22:02:26 | CREATE_COMPLETE | AWS::ECR::Repository | ContainerAssetsRepository
CDKToolkit | 2/12 | 22:02:26 | CREATE_COMPLETE | AWS::SSM::Parameter | CdkBootstrapVersion
CDKToolkit | 2/12 | 22:02:26 | CREATE_IN_PROGRESS | AWS::IAM::Role | LookupRole Resource creation Initiated
CDKToolkit | 2/12 | 22:02:26 | CREATE_IN_PROGRESS | AWS::IAM::Role | LookupRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-lookup-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 1b2fc962-aa57-491a-9ac1-c8c1bba03736)
CDKToolkit | 2/12 | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied)
CDKToolkit | 2/12 | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)
CDKToolkit | 2/12 | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | LookupRole Resource creation cancelled
CDKToolkit | 2/12 | 22:02:26 | CREATE_FAILED | AWS::S3::Bucket | StagingBucket Resource creation cancelled
CDKToolkit | 2/12 | 22:02:26 | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit The following resource(s) failed to create: [ImagePublishingRole, FilePublishingRole, LookupRole, StagingBucket, CloudFormationExecutionRole]. Rollback requested by user.
CDKToolkit | 2/12 | 22:02:28 | DELETE_IN_PROGRESS | AWS::SSM::Parameter | CdkBootstrapVersion
CDKToolkit | 2/12 | 22:02:28 | DELETE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole
CDKToolkit | 2/12 | 22:02:28 | DELETE_IN_PROGRESS | AWS::ECR::Repository | ContainerAssetsRepository
CDKToolkit | 2/12 | 22:02:28 | DELETE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole
CDKToolkit | 2/12 | 22:02:28 | DELETE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole
CDKToolkit | 2/12 | 22:02:28 | DELETE_IN_PROGRESS | AWS::IAM::Role | LookupRole
CDKToolkit | 2/12 | 22:02:28 | DELETE_SKIPPED | AWS::S3::Bucket | StagingBucket
CDKToolkit | 1/12 | 22:02:29 | DELETE_COMPLETE | AWS::ECR::Repository | ContainerAssetsRepository
CDKToolkit | 0/12 | 22:02:29 | DELETE_COMPLETE | AWS::SSM::Parameter | CdkBootstrapVersion
CDKToolkit | 0/12 | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DetachRolePolicy on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DetachRolePolicy action (Service: Iam, Status Code: 403, Request ID: 9e9cb0fc-428d-4254-86d5-a51cc9086266)" (RequestToken: f4e7cf81-5ac9-1aac-eb40-86853d9d57ac, HandlerErrorCode: AccessDenied)
CDKToolkit | 0/12 | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | LookupRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRolePolicy on resource: role cdk-hnb659fds-lookup-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRolePolicy action (Service: Iam, Status Code: 403, Request ID: e077cb02-898e-4175-92ac-687f844d8919)" (RequestToken: f6715cee-9b33-cecb-1572-1641fd654156, HandlerErrorCode: AccessDenied)
CDKToolkit | 0/12 | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 71c798ab-e31d-4ffa-9954-e23bc0d389f8)" (RequestToken: acff83e5-213e-f76d-a9dd-46fdae365ca2, HandlerErrorCode: AccessDenied)
CDKToolkit | 0/12 | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 622953fc-b92f-4dbc-a3a9-06983f5d05c7)" (RequestToken: 14fa52d0-7b13-ff49-4d93-e223e7a88495, HandlerErrorCode: AccessDenied)
CDKToolkit | 0/12 | 22:02:29 | ROLLBACK_FAILED | AWS::CloudFormation::Stack | CDKToolkit The following resource(s) failed to delete: [ImagePublishingRole, FilePublishingRole, LookupRole, CloudFormationExecutionRole].
Failed resources:
CDKToolkit | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:26 | CREATE_FAILED | AWS::IAM::Role | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DetachRolePolicy on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DetachRolePolicy action (Service: Iam, Status Code: 403, Request ID: 9e9cb0fc-428d-4254-86d5-a51cc9086266)" (RequestToken: f4e7cf81-5ac9-1aac-eb40-86853d9d57ac, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | LookupRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRolePolicy on resource: role cdk-hnb659fds-lookup-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRolePolicy action (Service: Iam, Status Code: 403, Request ID: e077cb02-898e-4175-92ac-687f844d8919)" (RequestToken: f6715cee-9b33-cecb-1572-1641fd654156, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 71c798ab-e31d-4ffa-9954-e23bc0d389f8)" (RequestToken: acff83e5-213e-f76d-a9dd-46fdae365ca2, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED | AWS::IAM::Role | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 622953fc-b92f-4dbc-a3a9-06983f5d05c7)" (RequestToken: 14fa52d0-7b13-ff49-4d93-e223e7a88495, HandlerErrorCode: AccessDenied)
❌ Environment aws://341538367464/eu-west-2 failed bootstrapping: Error: The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_FAILED (The following resource(s) failed to delete: [ImagePublishingRole, FilePublishingRole, LookupRole, CloudFormationExecutionRole]. ): Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)
at FullCloudFormationDeployment.monitorDeployment (/opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:452:10567)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async /opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:457:2348
at async Promise.all (index 0)
at async CdkToolkit.bootstrap (/opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:457:2193)
at async exec4 (/opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:510:54361)
[22:02:33] Reading cached notices from /Users/matt/.cdk/cache/notices.json
The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_FAILED (The following resource(s) failed to delete: [ImagePublishingRole, FilePublishingRole, LookupRole, CloudFormationExecutionRole]. ): Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)@peterwoodworth If I re-run the cdk bootstrap using a traditional IAM user with the same canned AdministratorAccess permissions instead of an IAM Identity Center user, it bootstraps fine.
Describe the bug
Unable to cdk bootstrap. I am getting tons of errors relating to IAM issues. I've tried version 2.93.0 and 2.95.0 of aws-cdk with no luck. Here is the result of cdk bootstrap. I also tried it on 2 different AWS accounts
Expected Behavior
cdk bootstrap should have properly prepared the environment
Current Behavior
It's failing with iam permissions but I am an administrator
Reproduction Steps
Before running cdk bootstrap, I had to export 3 AWS env variables to make my credentials work. The account I used has admin rights.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.95.0
Framework Version
No response
Node.js Version
18.17.1
OS
macos
Language
Python
Language Version
Python 3.9.0
Other information
No response