Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cli): bootstrap should create role for cdk CLI to assume when doing cross account deploys #11848

Closed
2 tasks
redbaron opened this issue Dec 3, 2020 · 2 comments
Closed
2 tasks

(cli): bootstrap should create role for cdk CLI to assume when doing cross account deploys #11848

redbaron opened this issue Dec 3, 2020 · 2 comments
Assignees
@rix0rrr
Labels
feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. package/tools Related to AWS CDK Tools or CLI

Comments

@redbaron
Copy link
Contributor

redbaron commented Dec 3, 2020

Use Case

cdk CLI makes calls to a target account using either current credentials or credentials obtained from a plugin. Because single CDK app can deploy to multiple accounts, current credentials won't work and it is required to assume role in every target account. cdk-assume-role-credential-plugin helps to make assume role seamless, but there is currently no such role created by the bootstrap process and separate out of band role creation required.

Proposed Solution

Bootstrap process shouls create a new role in a target account, with enough permissions to do following:

  • assume existing bootstrap roles for deploy, image upload and file upload
  • allow resource lookups in the target account

cdk-assume-role-credential-plugin can then be configured to use that role, making cross account deploys easier to implement.

Other

Existing roles for deploy, image assets and file assets allow establishing trust relationship with account where deploys should be running from, but it is not clear how exactly that cross account trust should be used. CDK CLI assumes these roles at various stages, but prior to it validates, that account it is running from matches account we are deploying to , aborting execution if they don't. This makes bootstrap --trust half complete.

If proposed feature is implemented, there will be not cross account sts:AsumeRole calls for these roles, only for the new one.

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@redbaron redbaron added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 3, 2020
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Dec 3, 2020
@redbaron redbaron changed the title (cli): bootstrap should create role to run cdk CLI in cross account deploy (cli): bootstrap should create role for cdk CLI to assume when doing cross account deploys Dec 3, 2020
@redbaron redbaron mentioned this issue Dec 3, 2020
Closed
@rix0rrr
Copy link
Contributor

rix0rrr commented Dec 8, 2020

Duplicate of #11792, #8905, #9597

@rix0rrr rix0rrr closed this as completed Dec 8, 2020
@github-actions
Copy link

github-actions bot commented Dec 8, 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@redbaron @rix0rrr