search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.33k stars 3.76k forks source link

(core): SdkProvider.forEnvironment uses wrong credentials in Bitbucket with OIDC #29100

Open kornicameister opened 4 months ago

kornicameister commented 4 months ago

Describe the bug

I am using Bitbucket pipelines and my authorization is configured via OIDC. I can, without any issue deploy the stacks and other artifacts using configured role.

Stack deployments happen via CDK's exec role that CICD role is able to assume. For sake of the bug let's assume:

If I do not make an attempt to use --hotswap-fallback I can deploy from CICD without a problem. The moment I try to use it I get:

stack-name (stack-name-pr-90) failed: Error: Need to perform AWS calls for account 1111111, but the current credentials are for 000000
    at SdkProvider.forEnvironment (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:391:13242)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async tryHotswapDeployment (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:422:17368)
    at async deployStack (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:428:652)
    at async Object.deployStack2 [as deployStack] (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:431:196745)
    at async /opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:431:178714

It seems the problem lies in how SdkProvider.forEnvironment works.

What is quite important to mention is the this error happens at the end of the pipeline. Before that error I have bunch of activity related to publishing assets into deployment account 1111111 and those calls work perfectly:

[09:00:27] Checking for previously published assets
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-image-publishing-role-11111111-eu-central-1'.
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:00:29] stack-name-pr-90:  check: Check 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:00:30] stack-name-pr-90:  found: Found 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:00:30] 15 total assets, 0 still need to be published
ays-reseller-cms-api-testing (stack-name-pr-90): deploying... [1/1]
[09:00:30] Retrieved account ID 0000000 from disk cache
[09:00:31] Call failed: describeStacks({"StackName":"stack-name-pr-90"}) => Stack with id stack-name-pr-90 does not exist (code=ValidationError)
[09:00:31] stack-name-pr-90: checking if we can skip deploy
[09:00:31] stack-name-pr-90: no existing stack
[09:00:31] stack-name-pr-90: deploying...

Below you can find logs from execution without --hotswap-fallback:

[09:44:50] Checking for previously published assets
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:44:52] Retrieved account ID 0000000 from disk cache
[09:44:52] Retrieved account ID 0000000 from disk cache
[09:44:52] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-image-publishing-role-11111111-eu-central-1'.
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:44:52] stack-name-pr-90:  check: Check 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:44:53] stack-name-pr-90:  found: Found 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:44:53] 15 total assets, 0 still need to be published
ays-reseller-cms-api-testing (stack-name-pr-90): deploying... [1/1]
[09:44:53] Retrieved account ID 0000000 from disk cache
[09:44:54] Call failed: describeStacks({"StackName":"stack-name-pr-90"}) => Stack with id stack-name-pr-90 does not exist (code=ValidationError)
[09:44:54] stack-name-pr-90: checking if we can skip deploy
[09:44:54] stack-name-pr-90: no existing stack
[09:44:54] stack-name-pr-90: deploying...
[09:44:54] Attempting to create ChangeSet with name cdk-deploy-change-set to create stack stack-name-pr-90
stack-name-pr-90: creating CloudFormation changeset...
[09:44:55] Initiated creation of changeset: arn:aws:cloudformation:eu-central-1:11111111:changeSet/cdk-deploy-change-set/d1cf9d21-17ef-4be3-aa44-a86069931c26; waiting for it to finish creating...
[09:44:55] Waiting for changeset cdk-deploy-change-set on stack stack-name-pr-90 to finish creating...
[09:44:55] Changeset cdk-deploy-change-set on stack stack-name-pr-90 is still creating
[09:45:01] Changeset cdk-deploy-change-set on stack stack-name-pr-90 is still creating
[09:45:06] Changeset cdk-deploy-change-set on stack stack-name-pr-90 is still creating
[09:45:13] Initiating execution of changeset arn:aws:cloudformation:eu-central-1:11111111:changeSet/cdk-deploy-change-set/d1cf9d21-17ef-4be3-aa44-a86069931c26 on stack stack-name-pr-90
[09:45:14] Execution of changeset arn:aws:cloudformation:eu-central-1:11111111:changeSet/cdk-deploy-change-set/d1cf9d21-17ef-4be3-aa44-a86069931c26 on stack stack-name-pr-90 has started; waiting for the update to complete...
[09:45:14] Waiting for stack stack-name-pr-90 to finish creating or updating...
[09:45:14] Stack stack-name-pr-90 has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS (User Initiated))
[09:45:20] Stack stack-name-pr-90 has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS)
stack-name-pr-90 |   0/136 | 9:44:55 AM | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack                    | stack-name-pr-90 User Initiated
stack-name-pr-90 |   0/136 | 9:45:14 AM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack                    | stack-name-pr-90 User Initiated
[09:45:25] Stack stack-name-pr-90 has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS)

Expected Behavior

I can use --hotswap-fallback in CICD environment of Bitbucket that is using OIDC authorization.

Current Behavior

Stack cannot be deployed with --hotswap-fallback

Reproduction Steps

N/A

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.121.1

Framework Version

No response

Node.js Version

20.8

OS

Debian (BB Pipeline)

Language

TypeScript

Language Version

No response

Other information

No response

pahud commented 4 months ago

CICD account 000000 configured OIDC role for Bitbucket Test account 1111111 has CDK toolkit configured

So your pipeline account is 000000 and deploying account is 1111111.

How did you bootstrap the account 1111111? Did you add the --trust and --trust-for-lookup for 000000 ?

kornicameister commented 4 months ago

It's not pipeline account per se. 000000 configures the CICD role that is used inside bitbucket pipelines. Said role can work with CDK toolkit that's deployed in 1111111.

And yes, the parameters you've mentioned had been set between the accounts.

Here's the piece of code from my codebase that deploys the OUs and accounts:

    if (props.cicdAccount) {
      parameters = {
        ...parameters,
        TrustedAccounts: [props.cicdAccount],
      };
    }
    const tpl = new CfnInclude(this, 'BootstrapTemplate', {
      templateFile: 'bootstrap/bootstrap.yml',
      preserveLogicalIds: false,
      parameters: {
        ...parameters,
        Qualifier: qualifier,
      },
    });

bootstrap.yml is the CFN template that cdk boostrap generates. I am utilizing stack sets to deploy same CDK toolkit to numerous accounts at a time.