Running "npm run build && npm run cdk:deploy -- --all" generates EcrStack error

[mbellemo]

EcrStack failed: Error: EcrStack: This CDK deployment requires bootstrap stack version '6', found an older version. Please run 'cdk bootstrap'.
    at CloudFormationDeployments.validateBootstrapStackVersion (/Users/mbellemo/Projects/invoice-management/infrastructure/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:436:13)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at CloudFormationDeployments.publishStackAssets (/Users/mbellemo/Projects/invoice-management/infrastructure/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:411:7)
    at CloudFormationDeployments.deployStack (/Users/mbellemo/Projects/invoice-management/infrastructure/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:299:5)
    at CdkToolkit.deploy (/Users/mbellemo/Projects/invoice-management/infrastructure/node_modules/aws-cdk/lib/cdk-toolkit.ts:208:24)
    at initCommandLine (/Users/mbellemo/Projects/invoice-management/infrastructure/node_modules/aws-cdk/lib/cli.ts:310:12)

EcrStack: This CDK deployment requires bootstrap stack version '6', found an older version. Please run 'cdk bootstrap'.

[mbellemo]

I tried to run cdk bootstrap

`13:59:07 | CREATE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole API: iam:GetRole User: "user" is not authorized to perform: iam:GetRole on resource: role "role" because no identity-based policy allows the iam:GetRole action

13:59:08 | CREATE_FAILED | AWS::S3::Bucket | StagingBucket role already exists

13:59:08 | CREATE_FAILED | AWS::IAM::Role | FilePublishingRole API: iam:GetRole User: "user" is not authorized to perform: iam:GetRole on resource: role "role" because no identity-based policy allows the iam:GetRole action

13:59:08 | CREATE_FAILED | AWS::IAM::Role | LookupRole API: iam:GetRole User: "user" is not authorized to perform: iam:GetRole on resource: role "role" because no identity-based policy allows the iam:GetRole action`

[exanubes]

Hi @mbellemo, thanks for reaching out but not sure I'm gonna be able to help you with that as this looks like a problem with your environment. Hard for me to pinpoint what's wrong.

I assume you've got a cdk v1 bootstrap in your aws account and this project uses a v2. Not sure if it's possible to have both at the same time but you could try. I remember having this error when I started using cdk v2 for the first time but I just nuked the v1 bootstrap and re-bootstrapped with v2. AWS has boostrapping pretty well documented. https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

The errors mean that the aws credentials you're using don't have permissions to do those things so you need to check what IAM user you're using and play around with IAM permissions. The easiest way to check which user you have configured for your cli would be with aws sts get-caller-identity.

[mbellemo]

I managed to successfully run cdk bootstrap adding the AdministratorAccess policy to my user. Probably, a bit of a brute force approach, but it works.

Now, I am facing another challenge when I run npm run build && npm run cdk:deploy -- --all

User: arn:assumed-role/[role] is not authorized to perform: iam:PassRole on resource: arn::role/cloudformation-access because no identity-based policy allows the iam:PassRole action

I created the role cloudformation-access but I guess I miss some permissions or this "PassRole" config.

[exanubes]

@mbellemo try creating a custom policy and adding it to your cloudformation-access role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "*"
        }
    ]
}