Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cli): Cross-account asset publishing broken in v1.135 #17988

Closed
msessa opened this issue Dec 13, 2021 · 3 comments · Fixed by #18007
Closed

(cli): Cross-account asset publishing broken in v1.135 #17988

msessa opened this issue Dec 13, 2021 · 3 comments · Fixed by #18007
Assignees
@rix0rrr
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. package/tools Related to AWS CDK Tools or CLI

Comments

@msessa
Copy link

msessa commented Dec 13, 2021
edited
Loading

What is the problem?

CDK asset publishing doesn't correctly assume the target asset publishing role in certain cases and fails to deploy S3 artifacts.

The issue seems to have surfaced with the release of cdk 1.135.0 but was possibly introduced in earlier versions.

Initial investigation suggests this line isn't passing the stack's asset publishing role and instead making API calls as the base role.

When v1.135 is used to deploy against an account bootstrapped with stack < v9, this code branch will trigger the above account() call which causes this.host.aborted to become true and this line to never be reached.

Reproduction Steps

  • Have role in AccountA
  • Bootstrap AccountB with stack v8 ( cdk <= 1.134.0 ), and --trust role in AccountA
  • Create CDK application with some S3 asset (lambda functions or similar), point environment to AccountB
  • Synth application with @aws-cdk/core:newStyleStackSynthesis=true
  • npx aws-cdk@1.135.0 deploy --debug -vvvvv

What did you expect to happen?

CDK deploy assumes the asset publishing role in AccountB and correctly uploads artifacts

What actually happened?

fail: Need to perform AWS calls for account <AccountB>, but the current credentials are for <AccountA>

CDK CLI Version

1.135.0

Framework Version

No response

Node.js Version

v14.16.0

OS

MacOS

Language

Typescript

Language Version

No response

Other information

Complete deploy log:

CDK toolkit version: 1.135.0 (build 3825f59)
Command line arguments: {
  _: [ 'deploy' ],
  debug: true,
  v: 5,
  verbose: 5,
  'outputs-file': 'cdk-outputs.json',
  O: 'cdk-outputs.json',
  outputsFile: 'cdk-outputs.json',
  app: 'cdk.out/',
  a: 'cdk.out/',
  'require-approval': 'any-change',
  requireApproval: 'any-change',
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  all: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  ci: false,
  execute: true,
  force: false,
  f: false,
  parameters: [ {} ],
  'previous-parameters': true,
  previousParameters: true,
  '$0': '../.npm/_npx/69094/bin/cdk',
  STACKS: [ 'cdk-issue-debug' ],
  'S-t-a-c-k-s': [ 'cdk-issue-debug' ]
}
cdk.json: {
  "app": "npx ts-node -P tsconfig.json --prefer-ts-exts src/main.ts",
  "context": {
    "@aws-cdk/core:newStyleStackSynthesis": "true",
    "aws-cdk:enableDiffNoFail": true,
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:enableStackNameDuplicates": true,
    "@aws-cdk/core:stackRelativeExports": true,
    "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,
    "@aws-cdk/aws-secretsmanager:parseOwnedSecretName": true,
    "@aws-cdk/aws-kms:defaultKeyPolicies": true,
    "@aws-cdk/aws-s3:grantWriteWithoutAcl": true,
    "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-efs:defaultEncryptionAtRest": true,
    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true
  },
  "output": "cdk.out",
  "build": "npx projen bundle",
  "watch": {
    "include": [
      "src/**/*.ts",
      "test/**/*.ts"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules"
    ]
  },
  "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"."
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  context: {
    '@aws-cdk/core:newStyleStackSynthesis': 'true',
    'aws-cdk:enableDiffNoFail': true,
    '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
    '@aws-cdk/core:enableStackNameDuplicates': true,
    '@aws-cdk/core:stackRelativeExports': true,
    '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
    '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
    '@aws-cdk/aws-kms:defaultKeyPolicies': true,
    '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
    '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
    '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
    '@aws-cdk/aws-efs:defaultEncryptionAtRest': true,
    '@aws-cdk/aws-lambda:recognizeVersionProps': true,
    '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true
  },
  app: 'cdk.out/',
  build: 'npx projen bundle',
  watch: {
    include: [ 'src/**/*.ts', 'test/**/*.ts' ],
    exclude: [
      'README.md',
      'cdk*.json',
      '**/*.d.ts',
      '**/*.js',
      'tsconfig.json',
      'package*.json',
      'yarn.lock',
      'node_modules'
    ]
  },
  '//': '~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen".',
  debug: true,
  assetMetadata: true,
  requireApproval: 'any-change',
  toolkitBucket: {},
  staging: true,
  outputsFile: 'cdk-outputs.json',
  bundlingStacks: [ '*' ],
  lookups: true
}
Determining if we're on an EC2 instance.
Does not look like an EC2 instance.
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
Resolving default credentials
Looking up default account ID from STS
[AWS sts 200 0.181s 0 retries] getCallerIdentity({})
Default account ID: AccountA
Setting "CDK_DEFAULT_ACCOUNT" environment variable to AccountA
context: {
  '@aws-cdk/core:newStyleStackSynthesis': 'true',
  'aws-cdk:enableDiffNoFail': true,
  '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
  '@aws-cdk/core:enableStackNameDuplicates': true,
  '@aws-cdk/core:stackRelativeExports': true,
  '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
  '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
  '@aws-cdk/aws-kms:defaultKeyPolicies': true,
  '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
  '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
  '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
  '@aws-cdk/aws-efs:defaultEncryptionAtRest': true,
  '@aws-cdk/aws-lambda:recognizeVersionProps': true,
  '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021': true,
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
--app points to a cloud assembly, so we bypass synth
Reading existing template for stack cdk-issue-debug.
Retrieved account ID AccountA from disk cache
Assuming role 'arn:aws:iam::AccountB:role/cdk-hnb659fds-deploy-role-AccountB-ap-southeast-2'.
[AWS cloudformation 200 0.291s 0 retries] describeStacks({ StackName: 'cdk-issue-debug' })
[AWS cloudformation 200 0.175s 0 retries] getTemplate({ StackName: 'cdk-issue-debug', TemplateStage: 'Original' })
cdk-issue-debug: deploying...
Retrieved account ID AccountA from disk cache
Assuming role 'arn:aws:iam::AccountB:role/cdk-hnb659fds-deploy-role-AccountB-ap-southeast-2'.
Waiting for stack CDKToolkit to finish creating or updating...
[AWS cloudformation 200 0.212s 0 retries] describeStacks({ StackName: 'CDKToolkit' })
[AWS ssm 200 0.236s 0 retries] getParameter({ Name: '/cdk-bootstrap/hnb659fds/version' })
[0%] start: Publishing ea955e1dd13eac7a289683a4c42a8f95466ebb1e7002c2b524369eab874ebd6c:AccountB-ap-southeast-2
Retrieved account ID AccountA from disk cache
Assuming role 'arn:aws:iam::AccountB:role/cdk-hnb659fds-file-publishing-role-AccountB-ap-southeast-2'.
[0%] check: Check s3://cdk-hnb659fds-assets-AccountB-ap-southeast-2/ea955e1dd13eac7a289683a4c42a8f95466ebb1e7002c2b524369eab874ebd6c.zip
[AWS s3 200 0.183s 0 retries] getBucketLocation({ Bucket: 'cdk-hnb659fds-assets-AccountB-ap-southeast-2' })
[AWS s3 200 0.169s 0 retries] listObjectsV2({
  Bucket: 'cdk-hnb659fds-assets-AccountB-ap-southeast-2',
  Prefix: 'ea955e1dd13eac7a289683a4c42a8f95466ebb1e7002c2b524369eab874ebd6c.zip',
  MaxKeys: 1
})
[AWS s3 403 0.147s 0 retries] getBucketEncryption({ Bucket: 'cdk-hnb659fds-assets-AccountB-ap-southeast-2' })
Call failed: getBucketEncryption({"Bucket":"cdk-hnb659fds-assets-AccountB-ap-southeast-2"}) => Access Denied (code=AccessDenied)
[50%] fail: Need to perform AWS calls for account AccountB, but the current credentials are for AccountA
[50%] start: Publishing 4ed6eb06863732b08308385e96b4da247bb35b3e8b6aca611ee88573da8a870a:AccountB-ap-southeast-2
Retrieved account ID AccountA from disk cache
[50%] check: Check s3://cdk-hnb659fds-assets-AccountB-ap-southeast-2/4ed6eb06863732b08308385e96b4da247bb35b3e8b6aca611ee88573da8a870a.json
[AWS s3 200 0.165s 0 retries] listObjectsV2({
  Bucket: 'cdk-hnb659fds-assets-AccountB-ap-southeast-2',
  Prefix: '4ed6eb06863732b08308385e96b4da247bb35b3e8b6aca611ee88573da8a870a.json',
  MaxKeys: 1
})
[100%] fail: Need to perform AWS calls for account AccountB, but the current credentials are for AccountA

 ❌  cdk-issue-debug failed: Error: Failed to publish one or more assets. See the error messages above for more information.
    at Object.publishAssets (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/util/asset-publishing.ts:25:11)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at CloudFormationDeployments.publishStackAssets (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:305:7)
    at CloudFormationDeployments.deployStack (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:202:5)
    at CdkToolkit.deploy (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
    at initCommandLine (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/bin/cdk.ts:267:9)
Failed to publish one or more assets. See the error messages above for more information.
Error: Failed to publish one or more assets. See the error messages above for more information.
    at Object.publishAssets (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/util/asset-publishing.ts:25:11)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at CloudFormationDeployments.publishStackAssets (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:305:7)
    at CloudFormationDeployments.deployStack (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:202:5)
    at CdkToolkit.deploy (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
    at initCommandLine (/Users/msessa/.npm/_npx/69094/lib/node_modules/aws-cdk/bin/cdk.ts:267:9)
@msessa msessa added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2021
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Dec 13, 2021
@relm923
Copy link
Contributor

relm923 commented Dec 13, 2021

This appears to be happening on 2.1.0 as well

@kimisme9386
Copy link
Contributor

I encounter the same problem. The v1.134.0 work fine ,but the v1.135.0 has the problem.

rix0rrr added a commit that referenced this issue Dec 14, 2021
@rix0rrr
fix(cli): asset publishing broken cross account
97ac51f 
In #17668, cross-account S3 asset publishing was broken.

The reason is that the `account()` function was always broken, using the
default account instead of the target account. However, previously this
function was only called in an irrecoverable situation anyway, and its
failure would be rare.

The recent change also calls this function for logging purposes in
a happy-case scenario, but then triggers an error during the logging.

Fix the invocation to use the right account.

Fixes #17988.
@rix0rrr rix0rrr mentioned this issue Dec 14, 2021
Merged
@mergify mergify bot closed this as completed in #18007 Dec 14, 2021
mergify bot pushed a commit that referenced this issue Dec 14, 2021
@rix0rrr
fix(cli): asset publishing broken cross account (#18007)
2fc6895 
In #17668, cross-account S3 asset publishing was broken.

The reason is that the `account()` function was always broken, using the
default account instead of the target account. However, previously this
function was only called in an irrecoverable situation anyway, and its
failure would be rare.

The recent change also calls this function for logging purposes in
a happy-case scenario, but then triggers an error during the logging.

Fix the invocation to use the right account.

Fixes #17988.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@rix0rrr @TikiTDO
fix(cli): asset publishing broken cross account (aws#18007)
740bbaf 
In aws#17668, cross-account S3 asset publishing was broken.

The reason is that the `account()` function was always broken, using the
default account instead of the target account. However, previously this
function was only called in an irrecoverable situation anyway, and its
failure would be rare.

The recent change also calls this function for logging purposes in
a happy-case scenario, but then triggers an error during the logging.

Fix the invocation to use the right account.

Fixes aws#17988.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): asset publishing broken cross account aws/aws-cdk
4 participants
@rix0rrr @relm923 @msessa @kimisme9386