cdk deploy --role-arn error iam:PassRole

[entest-hai]

General Issue

cdk deploy by assuming a role failed though added iam:passRole policy

The Question

This command failed

cdk deploy --role-arn "cdk-admin-role"

• Here is the error
  
  User: arn:aws:sts::123456:assumed-role/cdk-hnb659fds-deploy-role-123456-ap-southeast-1/aws-cdk-haitran is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456:role/cdk-admin-role-CdkAdminRole-1IBORD9375GQF because no identity-based policy allows the iam:PassRole action
  
• Here is the cdk-admin-role
  

AWSTemplateFormatVersion: 2010-09-09
Description: "CI CD pipeline"
Resources:
  CdkAdminRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "cloudformation.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AdministratorAccess"
      Policies:
        - PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: CdkAdminPassRole
                Effect: Allow
                Action:
                  - "iam:PassRole"
                  - "iam:GetRole"
                Resource: "*"
          PolicyName: PassRolePolicy

CDK CLI Version

2.10.0

Framework Version

No response

Node.js Version

No response

OS

Ubuntu 18.0

Language

Python

Language Version

Python 3.8.12

Other information

No response

[peterwoodworth]

Hey @entest-hai,

You'll want to pass in a custom DefaultStackSynthesizer to your stack and tell it what deploy role you're using. Here's an example

new MyStack(app, 'MyStack', {
  synthesizer: new DefaultStackSynthesizer({
    deployRoleArn: 'arn:aws:iam::123456789012:role/myrole'
  })
});

[github-actions[bot]]

[n-miles]

If we're supposed to respond to this rather than leaving a separate comment, don't close this

[entest-hai]

@peterwoodworth I tried your suggestion but still get an error

Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

Then in addition, I pass env

env=cdk.Environment(account='123456789',
                                   region='ap-southeast-1')

still get another error

Need to perform AWS calls for account 123456789, but no credentials have been configured

[entest-hai]

Is this possible to run cdk deploy by providing an assumed role in CDK stack rather ran configuring AWS CLI with credentials?

[svisagie]

Hey @entest-hai,

You'll want to pass in a custom DefaultStackSynthesizer to your stack and tell it what deploy role you're using. Here's an example

new MyStack(app, 'MyStack', {
  synthesizer: new DefaultStackSynthesizer({
    deployRoleArn: 'arn:aws:iam::123456789012:role/myrole'
  })
});

Hi, I ran into this same problem and your solution doesn't quite make sense to me. Why would I want to or need to hardcode my role to use for deployment? What is the point of the --role-arn command line parameter then?

I'm doing all this is C# and downgraded to the CDK V1 Nuget libraries and using the exact same command line specifying the role-arn to use for CloudFormation and it worked 100%. I can also see in CloudFormation that the correct role was used to execute the CloudFormation template, which leads me to believe there is something wrong with the V2 implementation of --role-arn.

A side note: a policy containing my execution roles needs to be specified in when bootstrapping the CDK using the --cloudformation-execution-policies parameter. This policy is added to the cdk-hnb659fds-cfn-exec-role..... role and not the deploy role. the cdk-hnb659fds-cfn-deploy-role which is what is causing the above error. Is the deploy-role maybe used instead of the exec-role where executing CDK?

[svisagie]

So, since this BUG now turned into a discussion, can we please discuss what the purpose of the --role-arn command line parameter is and why we need to hardcode the deployment role ARN into our CDK's?

[n-miles]

I am also extremely confused by this. What does --role-arn do, what does the synthesizer.deployRoleArn property do, and how are they different?

[bogdannazarenko]

Also interested. I am trying to specify a different deploy role in GHA cdk action to deploy non-developer stacks.

[vechorko]

So interesting and will wait solutions from team, but found that when I user cluster.connections.allow_from(***) for Kafka I have this issue but when I do my cluster without cluster.connections.allow_from it works fine. Maybe it can help.

[svisagie]

@peterwoodworth can you please respond to these questions. The original bug was just closed and moved to this discussion after you provided a solution that does not work and it also doesn't answer any of the questions.

I'm currently faced with the issue where I have a lot of stacks that are working 100% using CDK V1, but I'm now getting messages stating that it is soon going into maintenance and I should upgrade to V2, except that converting these CDK's to V2 does not work because --role-arn is no longer working. Apart from it being completely counter intuitive to code the execution ARN into the CDK , it also doesn't doesn't work. Not even the sample application.

[vechorko]

Seems like I found temporary solution, to use --profile with role configuration in a profile instead of --role-arn . Of course it is inconvenient that it will be necessary to generate a aws profile with role before launch, but still a working option.

[vechorko]

updated: it doesn't work when I try run cdk under codebuild, but solution to use role for CDK and run under codebuild this is retrive temporary credentials from role:

buildspec.yml

pre_build:
    commands:
      - temp_role=$( aws sts assume-role --role-arn $AWS_ROLE --role-session-name "session_1")
      - export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq .Credentials.AccessKeyId -r)
      - export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq .Credentials.SecretAccessKey -r)
      - export AWS_SESSION_TOKEN=$(echo $temp_role | jq .Credentials.SessionToken -r)

maybe it will be useful for someone.

in this case we can use IAM Role to work with another account, but for CDK we pass access key and secret key from Role and it works better.

[kellertk]

Hi there @entest-hai - I was able to get this working. Your error is that arn:aws:sts::123456:assumed-role/cdk-hnb659fds-deploy-role-123456-ap-southeast-1/aws-cdk-haitran is not authorized to perform iam:PassRole - so you need to add those permissions to the deploy role, not the CloudFormation execution role. Here's what I was getting when I tried this:

CdkTestingFolderStack failed: AccessDenied: User: 
arn:aws:sts::570774169190:assumed-role/cdk-hnb659fds-deploy-role-570774169190-us-east-1/aws-cdk-node is not
authorized to perform: iam:PassRole on resource: arn:aws:iam::570774169190:role/test1234 because no
identity-based policy allows the iam:PassRole action

In my case, it was the cdk-hnb659fds-deploy-role-570774169190-us-east-1 role that needed modified, not arn:aws:iam::570774169190:role/test1234. This role did have a iam:PassRole action, but the Resource tag was set to the default CDK CloudFormation execution role, so that's why it was getting permission denied. If I modified the deploy role and set it like this:

-snip-
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::570774169190:role/test1234",
            "Effect": "Allow"
        },
-snip-

it happily deployed. So I think what you'd need to do is to modify your deploy role to allow it to PassRole on your CF execution role. Now, this value is set when you bootstrap, but it looks like rerunning cdk bootstrap with a role parameter doesn't actually change the bootstrap template, so to me that seems like a bug.

In summary, I think I have a working workaround for you - and we'll confirm/research/prioritize/resolve the bug too.

[kellertk]

See #20408

[kellertk]

BTW, @svisagie already pointed this out, but I do want to mention we should probably treat this as a bug or at the very least a poorly-documented command line option. You will have to edit the deploy role to be less restrictive to allow your passed execution role to be used.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.