search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.59k stars 3.89k forks source link

[CLI] Unable to bootstrap an IAM User account #9570

Closed jithinjudepaule closed 3 years ago

jithinjudepaule commented 4 years ago

I created an admin user(adminprod) using my root account and I tried to bootstrap this environment by running 

npx cdk bootstrap --profile adminprod --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://adminprod/ap-south-1

I configured the IAM user credentials via the .aws/credentials and .aws/config file. However I am unable to bootstrap and I got the below error: 

Bootstrapping environment aws://adminprod/ap-south-1...
 Environment aws://adminprod/ap-south-1 failed bootstrapping: Error: Need to perform AWS calls for account adminprod, but the current credentials are for xxxxxxxxxx(rootaccount).
 at SdkProvider.obtainCredentials (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\lib\api\aws-auth\sdk-provider.ts:231:11)
 at SdkProvider.forEnvironment (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\lib\api\aws-auth\sdk-provider.ts:117:19)
 at Object.deployBootstrapStack (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\lib\api\bootstrap\deploy-bootstrap.ts:24:15)
 at F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\lib\cdk-toolkit.ts:359:24
 at async Promise.all (index 0)
 at CdkToolkit.bootstrap (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\lib\cdk-toolkit.ts:356:5)
 at main (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\bin\cdk.ts:244:16)
 at initCommandLine (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\aws-cdk\bin\cdk.ts:188:9)
d to perform AWS calls for account adminprod, but the current credentials are for xxxxxxxxxxxxxxx.

The verbose version is: 

CDK toolkit version: 1.57.0 (build 2ccfc50)
Command line arguments: {
  _: [ 'bootstrap' ],
  profile: 'adminprod',
  'cloudformation-execution-policies': [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
  cloudformationExecutionPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ],
  v: 1,
  verbose: 1,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  fail: false,
  'bootstrap-bucket-name': undefined,
  b: undefined,
  'toolkit-bucket-name': undefined,
  toolkitBucketName: undefined,
  bootstrapBucketName: undefined,
  'bootstrap-kms-key-id': undefined,
  bootstrapKmsKeyId: undefined,
  qualifier: undefined,
  'public-access-block-configuration': true,
  publicAccessBlockConfiguration: true,
  tags: [],
  t: [],
  execute: true,
  trust: [],
  force: false,
  f: false,
  'termination-protection': false,
  terminationProtection: false,
  '$0': 'node_modules\\aws-cdk\\bin\\cdk',
  ENVIRONMENTS: [ 'aws://adminprod/ap-south-1' ],
  environments: [ 'aws://adminprod/ap-south-1' ]
}
cdk.json: {
  "app": "npx ts-node bin/cdkpipelines-demo.ts",
  "context": {
    "@aws-cdk/core:enableStackNameDuplicates": "true",
    "aws-cdk:enableDiffNoFail": "true",
    "@aws-cdk/core:newStyleStackSynthesis": true
  }
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node bin/cdkpipelines-demo.ts',
  context: {
    '@aws-cdk/core:enableStackNameDuplicates': 'true',
    'aws-cdk:enableDiffNoFail': 'true',
    '@aws-cdk/core:newStyleStackSynthesis': true
  },
  tags: [],
  assetMetadata: true,
  profile: 'adminprod',
  toolkitBucket: {},
  staging: true
}
Determining whether we're on an EC2 instance.
Does not look like EC2 instance.
Toolkit stack: CDKToolkit
'@aws-cdk/core:newStyleStackSynthesis' context set, using new-style bootstrapping
Setting "CDK_DEFAULT_REGION" environment variable to ap-south-1
Resolving default credentials
Looking up default account ID from STS
Default account ID: xxxxxxxxxxxxxxxx
Setting "CDK_DEFAULT_ACCOUNT" environment variable to xxxxxxxxxxxxxx
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws-cdk:enableDiffNoFail': 'true',
  '@aws-cdk/core:newStyleStackSynthesis': true,
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'ap-south-1',
  CDK_DEFAULT_ACCOUNT: 'xxxxxxxxxx',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","aws-cdk:enableDiffNoFail":"true","@aws-cdk/core:newStyleStackSynthesis":true,"aws:cdk:enable-path-
-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '5.0.0',
  CDK_CLI_VERSION: '1.57.0'
}
kurtzace commented 4 years ago

Hi Try to follow this to create user and role . then assign policy to the role .

Can you please share the credentials file with all the information masked out . Which is there in the dot aWS directory

Did you also try the following assume role concept

Also this stackoverflow article has explained the i a m best practice to operate as non root user account https://stackoverflow.com/a/55420064

jithinjudepaule commented 4 years ago

Thanks @kurtzace that worked like charm!! I had to assume the role which had admin access to my non root account and mere AWS IAm credentials with Administrator access policy didn't work .

However I am getting the below error now

 15/17 | 11:34:31 PM | CREATE_FAILED        | AWS::CodePipeline::Pipeline | Pipeline/Pipeline (Pipeline9850B417) Internal Failure
        new Pipeline (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\@aws-cdk\aws-codepipeline\lib\pipeline.ts:255:26)
        \_ new CdkPipeline (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\@aws-cdk\pipelines\lib\pipeline.ts:75:22)
        \_ new CdkpipelinesDemoPipelineStack (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\lib\cdkpipelines-demo-pipeline-stack.ts:16:22)
        \_ Object.<anonymous> (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\bin\cdkpipelines-demo.ts:7:1)
        \_ Module._compile (internal/modules/cjs/loader.js:1138:30)
        \_ Module.m._compile (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\ts-node\src\index.ts:858:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:1158:10)
        \_ Object.require.extensions.<computed> [as .ts] (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\ts-node\src\index.ts:861:12)
        \_ Module.load (internal/modules/cjs/loader.js:986:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:879:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12)
        \_ main (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\ts-node\src\bin.ts:227:14)
        \_ Object.<anonymous> (F:\GitRepos\cdkpipelinesdemo\cdkpipelines-demo\node_modules\ts-node\src\bin.ts:513:3)
        \_ Module._compile (internal/modules/cjs/loader.js:1138:30)
        \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1158:10)
        \_ Module.load (internal/modules/cjs/loader.js:986:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:879:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12)
        \_ internal/main/run_main_module.js:17:47
 15/17 | 11:34:32 PM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack  | CdkpipelinesDemoPipelineStack The following resource(s) failed to create: [Pipeline9850B417].
shivlaks commented 4 years ago

@jithinjudepaule - would it be possible to share the pipeline part of the code that results in an internal failure?

It can be a bit tricky to diagnose those, but the first step would be to reproduce the error.

jithinjudepaule commented 4 years ago

@shivlaks I am basically trying to build a cdk pipeline found in this post(https://aws.amazon.com/blogs/developer/cdk-pipelines-continuous-delivery-for-aws-cdk-applications/). I bootstrapped the environmnet using 

npx cdk bootstrap \
  --profile account1-profile \
  --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
  aws://xxxxxxxx/us-east-2

It worked fine for me. After that I deployed using the command: 

npx cdk deploy \
  --profile xxxxx-profile \
  CdkpipelinesDemoPipelineStack

The deployment goes through deploying around 17 resources and it fails at the 14th resource and then rolls back the entire pipeline and deletes all the 14 resources. Guess the below line of code causes the issue as per the error reported in file: \cdkpipelines-demo\node_modules\@aws-cdk\pipelines\lib\pipeline.ts:75:22

 if (props.artifactBucket && props.crossRegionReplicationBuckets) {
            throw new Error('Only one of artifactBucket and crossRegionReplicationBuckets can be specified!');
        }
        // If a bucket has been provided, use it - otherwise, create a bucket.
        let propsBucket = this.getArtifactBucketFromProps(props);
        if (!propsBucket) {
            const encryptionKey = new kms.Key(this, 'ArtifactsBucketEncryptionKey', {
                // remove the key - there is a grace period of a few days before it's gone for good,
                // that should be enough for any emergency access to the bucket artifacts
                removalPolicy: core_1.RemovalPolicy.DESTROY,
            });
rix0rrr commented 3 years ago

The error says:

15/17 | 11:34:31 PM | CREATE_FAILED | AWS::CodePipeline::Pipeline | Pipeline/Pipeline (Pipeline9850B417) Internal Failure

Issue described here:

https://docs.aws.amazon.com/cdk/api/latest/docs/pipelines-readme.html#pipeline-internal-failure

github-actions[bot] commented 3 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.