search

corymhall / cdk-diff-action

GitHub action to post CDK diff to PR comments
Apache License 2.0
26 stars 1 forks source link

Unable to assume CDK lookup role using temporary session credentials #62

Open tranhl opened 1 week ago

tranhl commented 1 week ago

Having a bit of trouble getting this action to work. Using the following configuration:

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-region: ${{ vars.AWS_REGION }}
          role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
          role-session-name: ci-session

      - name: Synth
        working-directory: apps/cdk
        run: pnpm cdk synth

      - name: Diff
        uses: corymhall/cdk-diff-action@v1
        with:
          failOnDestructiveChanges: false
          cdkOutDir: apps/cdk/cdk.out
          githubToken: ${{ secrets.GITHUB_TOKEN }}

I get the following error:

AccessDenied: User: arn:aws:sts::***:assumed-role/github-action/ci-session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}

Seems like the issue is that AWS::AccountId and AWS::Region isn't templating correctly when assuming the CDK lookup role? Not exactly sure why that would be the case. I've included the full error logs, happy to provide additional information needed.

Full error log Error performing stack diff: AccessDenied: User: arn:aws:sts::***:assumed-role/github-action/monorepoCISession is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region} at throwDefaultError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:1) Error: User: arn:aws:sts::***:assumed-role/github-action/monorepoCISession is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region} at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:1 at de_CommandError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/client-sts/dist-cjs/index.js:478:1) at processTicksAndRejections (node:internal/process/task_queues:95:5) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:165:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-retry/dist-cjs/index.js:3[20](https://github.com//monorepo/actions/runs/9616955847/job/26527645521?pr=854#step:6:21):1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/credential-providers/dist-cjs/fromTemporaryCredentials.js:47:1 at coalesceProvider (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:288:1) { '$fault': 'client', '$metadata': { httpStatusCode: 403, requestId: '3092bae5-14f9-49e6-84bc-ce1ae49[22](https://github.com//monorepo/actions/runs/9616955847/job/26527645521?pr=854#step:6:23)3d8', extendedRequestId: undefined, cfId: undefined, attempts: 1, totalRetryDelay: 0 }, Type: 'Sender', Code: 'AccessDenied' } Error processing stages: AccessDenied: User: arn:aws:sts::***:assumed-role/github-action/monorepoCISession is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region} at throwDefaultError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:1) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:1 at de_CommandError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/client-sts/dist-cjs/index.js:478:1) at processTicksAndRejections (node:internal/process/task_queues:95:5) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:165:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/credential-providers/dist-cjs/fromTemporaryCredentials.js:47:1 at coalesceProvider (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:288:1) { '$fault': 'client', '$metadata': { httpStatusCode: 403, requestId: '3092bae5-14f9-49e6-84bc-ce1ae492[23](https://github.com//monorepo/actions/runs/9616955847/job/26527645521?pr=854#step:6:24)d8', extendedRequestId: undefined, cfId: undefined, attempts: 1, totalRetryDelay: 0 }, Type: 'Sender', Code: 'AccessDenied' } Error running process stages: AccessDenied: User: arn:aws:sts::***:assumed-role/github-action/monorepoCISession is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region} at throwDefaultError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:1) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:1 at de_CommandError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/client-sts/dist-cjs/index.js:478:1) at processTicksAndRejections (node:internal/process/task_queues:95:5) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:165:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/credential-providers/dist-cjs/fromTemporaryCredentials.js:47:1 at coalesceProvider (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:[28](https://github.com//monorepo/actions/runs/9616955847/job/26527645521?pr=854#step:6:29)8:1) { '$fault': 'client', '$metadata': { httpStatusCode: 403, requestId: '3092bae5-14f9-49e6-84bc-ce1ae49223d8', extendedRequestId: undefined, cfId: undefined, attempts: 1, totalRetryDelay: 0 }, Type: 'Sender', Code: 'AccessDenied' } Error performing diff: AccessDenied: User: arn:aws:sts::***:assumed-role/github-action/monorepoCISession is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region} at throwDefaultError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:1) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:1 at de_CommandError (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/client-sts/dist-cjs/index.js:478:1) at processTicksAndRejections (node:internal/process/task_queues:95:5) at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:165:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:1 at /home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@aws-sdk/credential-providers/dist-cjs/fromTemporaryCredentials.js:47:1 at coalesceProvider (/home/runner/work/_actions/corymhall/cdk-diff-action/v1/node_modules/@smithy/core/dist-cjs/index.js:288:1) { '$fault': 'client', '$metadata': { httpStatusCode: 403, requestId: '[30](https://github.com//monorepo/actions/runs/9616955847/job/26527645521?pr=854#step:6:31)92bae5-14f9-49e6-84bc-ce1ae49223d8', extendedRequestId: undefined, cfId: undefined, attempts: 1, totalRetryDelay: 0 }, Type: 'Sender', Code: 'AccessDenied' }
tranhl commented 5 days ago

Turns out the issue is that AWS::AccountId and AWS::Region won't have an actual value in the CDK assembly unless we explicitly pass a value to props.env on all our stacks during synthesis. The action worked after env was provided.