(cdk-cli): unable to get bootstrap working for cross-account deployments

[duncanwraightimport]

What is the problem?

I have two stacks - a LambdaStack and a BucketStack.

LambdaStack needs to be deployed to Acc1
BucketStack needs to be deployed to Acc2

The BucketStack requires the Lambda function's role ARN from LambdaStack so that the Lambda function can put data into Acc2's S3 bucket. For this reason, I need to deploy the stacks from a single cdk deploy command rather than cdk deploy LambdaStack, change creds, cdk deploy BucketStack etc.

When I try to cdk diff my code, I receive an error like:
Need to perform AWS calls for account 111111Acc1, but the current credentials are for 222222Acc2.

I'm using Okta SSO for AWS where I use the okta-awscli python library to assume a aws:arn:blah:Federated_Admin role. I can run this command for different accounts so my ~/.aws/credentials file is populated as expected, e.g. with a default profile (for Acc1) and an acc2 profile for Acc2.

I have tried to cdk bootstrap both accounts (e.g. using cdk bootstrap --profile acc2 --trust acc1 etc), which appears to complete successfully, but I'm still unable to run cdk diff.

Reproduction Steps

--- ~/.aws/credentials example

[default]
aws_access_key_id = key_id
aws_secret_access_key = key
aws_session_token = token

[acc2]
aws_access_key_id = key_id
aws_secret_access_key = key
aws_session_token = token

--- bin/cdk.ts example

const accountOne = {
    account: '111111Acc1',
    region: 'us-east-1'
};

const accountTwo = {
    account: '222222Acc2',
    region: 'us-east-1'
};

const lambdaStack = new LambdaStack(app, `url-feed-processing-stack-${environment}`, {
    env: accountOne
});

new BucketStack(app, `url-feed-destination-bucket-stack-${environment}`, {
    env: accountTwo,
    lambdaFromAccOne: lambdaStack
});

--- cdk bootstrapping

cdk bootstrap aws://111111Acc1/us-east-1
cdk bootstrap --profile acc2 --trust 111111Acc1 --cloudformation-execution-policies 'arn:aws:iam::aws:policy/AdministratorAccess' aws://222222Acc2/us-east-1

--- cdk bootstrapping and diff output

❯ cdk bootstrap aws://111111Acc1/us-east-1
 ⏳  Bootstrapping environment aws://111111Acc1/us-east-1...
Trusted accounts for deployment: 222222Acc2
Trusted accounts for lookup: (none)
Execution policies: arn:aws:iam::aws:policy/AdministratorAccess
 ✅  Environment aws://111111Acc1/us-east-1 bootstrapped (no changes).

❯ cdk bootstrap --profile acc2 --trust 111111Acc1 --cloudformation-execution-policies 'arn:aws:iam::aws:policy/AdministratorAccess' aws://222222Acc2/us-east-1
 ⏳  Bootstrapping environment aws://222222Acc2/us-east-1...
Trusted accounts for deployment: 111111Acc1
Trusted accounts for lookup: (none)
Execution policies: arn:aws:iam::aws:policy/AdministratorAccess
 ✅  Environment aws://222222Acc2/us-east-1 bootstrapped (no changes).

❯ cdk diff
Stack lambda-stack
There were no differences
Stack bucket-stack
Need to perform AWS calls for account 222222Acc2, but the current credentials are for 111111Acc1

What did you expect to happen?

Expected cdk diff to use the bootstrapping process to allow cross-account communication.

What actually happened?

Error stating only one account can be called:
Need to perform AWS calls for account 222222Acc2, but the current credentials are for 111111Acc1

CDK CLI Version

2.12.0 (build c9786db)

Framework Version

No response

Node.js Version

v16.13.2

OS

Debian 11, but also tested on MacOS Big Sur

Language

Typescript

Language Version

TypeScript version 4.5.4

Other information

No response

[mrpackethead]

This is not a bug. please refer to the docs.

[anderha]

@mrpackethead Could you please provide a link to the docs? I am facing the same issue

[duncanwraight]

Hi @mrpackethead thanks for your comment.

I came to this issue tracker after consulting with 6 or 7 experienced CDK users on the CDK Slack.

We've all looked at the documentation and it doesn't appear to reference this use case in any way.

Perhaps we've missed it, so could you please share the documentation referring to bootstrapping two separate accounts then deploying with credentials for one?

Appreciate this may not be a "bug", perhaps the label needs to be changed to "documentation issue" or something, but I think it's a legitimate issue to raise either way.

[baotran2207]

i am facing same issue , the error detail not very clear. And i could not find the doc ref either !

[skinny85]

@rix0rrr you want to chime in here?

[anderha]

I found a solution that worked for me:

1. add your aws credentials of account1 as default into .aws/credentials

[default]
aws_access_key_id=id
aws_secret_access_key=key

2. cdk bootstrap account1
3. bootstrap account 2 with specified profile

cdk bootstrap --trust account1 --trust-for-lookup account1 --cloudformation-execution-policies 'arn:aws:iam::aws:policy/AdministratorAccess' --profile account2 aws://account2/<your_region>