Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootstrap:failing with IAM roles even when using a full administrator account #27067

Closed
c0debreaker opened this issue Sep 8, 2023 · 8 comments
Closed

bootstrap:failing with IAM roles even when using a full administrator account #27067

c0debreaker opened this issue Sep 8, 2023 · 8 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@c0debreaker
Copy link

Describe the bug

Unable to cdk bootstrap. I am getting tons of errors relating to IAM issues. I've tried version 2.93.0 and 2.95.0 of aws-cdk with no luck. Here is the result of cdk bootstrap. I also tried it on 2 different AWS accounts

$ cdk bootstrap
⏳ Bootstrapping environment aws://1111222233334/us-east-1...
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
CDKToolkit: creating CloudFormation changeset...
8:19:40 AM | CREATE_FAILED | AWS::IAM::Role | LookupRole
API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole
on resource: role cdk-hnb659fds-lookup-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action

8:19:40 AM | CREATE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole
API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole
on resource: role cdk-hnb659fds-cfn-exec-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action

8:19:40 AM | CREATE_FAILED | AWS::IAM::Role | FilePublishingRole
API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole
on resource: role cdk-hnb659fds-file-publishing-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole ac
tion

8:19:40 AM | CREATE_FAILED | AWS::IAM::Role | ImagePublishingRole
API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole
on resource: role cdk-hnb659fds-image-publishing-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole a
ction

❌ Environment aws://1111222233334/us-east-1 failed bootstrapping: Error: The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-lookup-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action, API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action, API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action, API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action
at FullCloudFormationDeployment.monitorDeployment (/Users/jmeyers/.nvm/versions/node/v18.17.1/lib/node_modules/aws-cdk/lib/index.js:443:10236)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async /Users/jmeyers/.nvm/versions/node/v18.17.1/lib/node_modules/aws-cdk/lib/index.js:448:2104
at async Promise.all (index 0)
at async CdkToolkit.bootstrap (/Users/jmeyers/.nvm/versions/node/v18.17.1/lib/node_modules/aws-cdk/lib/index.js:448:1949)
at async exec4 (/Users/jmeyers/.nvm/versions/node/v18.17.1/lib/node_modules/aws-cdk/lib/index.js:521:52797)

The stack named CDKToolkit failed to deploy: UPDATE_ROLLBACK_COMPLETE: API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-lookup-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action, API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action, API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action, API: iam:GetRole User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-1111222233334-us-east-1 because no identity-based policy allows the iam:GetRole action

Expected Behavior

cdk bootstrap should have properly prepared the environment

Current Behavior

It's failing with iam permissions but I am an administrator

Reproduction Steps

Before running cdk bootstrap, I had to export 3 AWS env variables to make my credentials work. The account I used has admin rights.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.95.0

Framework Version

No response

Node.js Version

18.17.1

OS

macos

Language

Python

Language Version

Python 3.9.0

Other information

No response
@c0debreaker c0debreaker added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 8, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Sep 8, 2023
@peterwoodworth
Copy link
Contributor

From the error message it looks like you're not an admin, but rather User: arn:aws:sts::1111222233334:assumed-role/cdk-toolkit/AWSCloudFormation.

@peterwoodworth
Copy link
Contributor

Actually, are you a root user, or are you an IAM user with admin perms?

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 8, 2023
@c0debreaker
Copy link
Author 

Actually, are you a root user, or are you an IAM user with admin perms?

The latter. I am AD SSO authenticated with full admin permissions.

However, I found out that there is a role being used when I run cdk bootstrap. It was using a role called cdk-toolkit. I added the missing permissions one by one until I was able to successfully deploy the resource.

What's still a mystery to me is that why and how is it using cdk-toolkit IAM role? I didn't specify it in the command line nor I found it in my code. Does cdk tool use that by default?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 9, 2023
@peterwoodworth
Copy link
Contributor

I've never seen this role before, and I can't find any references to it in our code or documentation. It's weird that it's throwing a is not authorized to perform here multiple times on different resources, I am not sure I've seen that occur during CloudFormation deployment before. I'll check to see if anyone else has seen this

@peterwoodworth
Copy link
Contributor

@c0debreaker I have a few questions.

  • Can you verify if this role is in IAM in your account?
  • Are you running this command within the context of a CDK app?
  • Could you verify that the output of aws sts get-caller-identity is what you expect, and then run cdk bootstrap -v and post the output?
  • If you're running this within the context of a CDK app, try moving outside of a CDK app and then running cdk bootstrap aws://<ACCOUNT_ID>/<REGION> -v and posting the output

@peterwoodworth peterwoodworth added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 11, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Sep 14, 2023
@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
@fidothe
Copy link

fidothe commented Sep 1, 2024

This is happening to me now, with the same role errors reported by the original reporter, but without the cdk-toolkit role.

I'm using a user created with IAM Identity Center that has the standard arn:aws:iam::aws:policy/AdministratorAccess policy attached to its permission set.

To address @peterwoodworth's last set of questions:

Can you verify if this role is in IAM in your account?
Could you verify that the output of aws sts get-caller-identity is what you expect,

The role reported by aws sts get-caller-identity seems like the correct one, but obviously there's a degree of indirection from the role assumption. It looks legit, though.

Are you running this command within the context of a CDK app?
If you're running this within the context of a CDK app, try moving outside of a CDK app and then running cdk bootstrap aws://<ACCOUNT_ID>/ -v and posting the output

I was. I have also tried running with the explicit aws://... URL and the results were the same.

Here's the output from cdk bootstrap -v

This is with node 22.7.0 and aws-cdk 2.155.0

 ⏳  Bootstrapping environment aws://341538367464/eu-west-2...
[22:02:16] Waiting for stack CDKToolkit to finish creating or updating...
[22:02:16] Call failed: describeStacks({"StackName":"CDKToolkit"}) => Stack with id CDKToolkit does not exist (code=ValidationError)
[22:02:16] Stack CDKToolkit does not exist
[22:02:16] The environment aws://341538367464/eu-west-2 doesn't have the CDK toolkit stack (CDKToolkit) installed. Use cdk bootstrap "aws://341538367464/eu-west-2" to setup your environment for use with the toolkit.
[22:02:16] Retrieved account ID 341538367464 from disk cache
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
[22:02:16] Call failed: describeStacks({"StackName":"CDKToolkit"}) => Stack with id CDKToolkit does not exist (code=ValidationError)
[22:02:16] CDKToolkit: checking if we can skip deploy
[22:02:16] CDKToolkit: no existing stack
[22:02:16] CDKToolkit: deploying...
[22:02:16] Attempting to create ChangeSet with name cdk-deploy-change-set to create stack CDKToolkit
CDKToolkit: creating CloudFormation changeset...
[22:02:16] Initiated creation of changeset: arn:aws:cloudformation:eu-west-2:341538367464:changeSet/cdk-deploy-change-set/11e433a0-e620-4834-9c77-7d1653c6943a; waiting for it to finish creating...
[22:02:16] Waiting for changeset cdk-deploy-change-set on stack CDKToolkit to finish creating...
[22:02:16] Changeset cdk-deploy-change-set on stack CDKToolkit is still creating
[22:02:22] Initiating execution of changeset arn:aws:cloudformation:eu-west-2:341538367464:changeSet/cdk-deploy-change-set/11e433a0-e620-4834-9c77-7d1653c6943a on stack CDKToolkit
[22:02:22] Execution of changeset arn:aws:cloudformation:eu-west-2:341538367464:changeSet/cdk-deploy-change-set/11e433a0-e620-4834-9c77-7d1653c6943a on stack CDKToolkit has started; waiting for the update to complete...
[22:02:22] Waiting for stack CDKToolkit to finish creating or updating...
[22:02:22] Stack CDKToolkit has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS (User Initiated))
[22:02:27] Stack CDKToolkit has an ongoing operation in progress and is not stable (ROLLBACK_IN_PROGRESS)
CDKToolkit |  0/12 | 22:02:16 | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack | CDKToolkit User Initiated
CDKToolkit |  0/12 | 22:02:22 | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack | CDKToolkit User Initiated
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | FilePublishingRole
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | ImagePublishingRole
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::ECR::Repository    | ContainerAssetsRepository
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::S3::Bucket         | StagingBucket
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::SSM::Parameter     | CdkBootstrapVersion
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | LookupRole
CDKToolkit |  0/12 | 22:02:24 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | CloudFormationExecutionRole
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | LookupRole Failed to check if policy already exists due to lack of getRolePolicy permission, you might be overriding or adopting an existing policy on this Role
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | ImagePublishingRole Resource creation Initiated
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::ECR::Repository    | ContainerAssetsRepository Resource creation Initiated
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::SSM::Parameter     | CdkBootstrapVersion Resource creation Initiated
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | ImagePublishingRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | CloudFormationExecutionRole Resource creation Initiated
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | FilePublishingRole Resource creation Initiated
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | CloudFormationExecutionRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)
CDKToolkit |  0/12 | 22:02:25 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | FilePublishingRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)
CDKToolkit |  0/12 | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied)
CDKToolkit |  1/12 | 22:02:26 | CREATE_COMPLETE      | AWS::ECR::Repository    | ContainerAssetsRepository
CDKToolkit |  2/12 | 22:02:26 | CREATE_COMPLETE      | AWS::SSM::Parameter     | CdkBootstrapVersion
CDKToolkit |  2/12 | 22:02:26 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | LookupRole Resource creation Initiated
CDKToolkit |  2/12 | 22:02:26 | CREATE_IN_PROGRESS   | AWS::IAM::Role          | LookupRole User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-lookup-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 1b2fc962-aa57-491a-9ac1-c8c1bba03736)
CDKToolkit |  2/12 | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied)
CDKToolkit |  2/12 | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)
CDKToolkit |  2/12 | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | LookupRole Resource creation cancelled
CDKToolkit |  2/12 | 22:02:26 | CREATE_FAILED        | AWS::S3::Bucket         | StagingBucket Resource creation cancelled
CDKToolkit |  2/12 | 22:02:26 | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit The following resource(s) failed to create: [ImagePublishingRole, FilePublishingRole, LookupRole, StagingBucket, CloudFormationExecutionRole]. Rollback requested by user.
CDKToolkit |  2/12 | 22:02:28 | DELETE_IN_PROGRESS   | AWS::SSM::Parameter     | CdkBootstrapVersion
CDKToolkit |  2/12 | 22:02:28 | DELETE_IN_PROGRESS   | AWS::IAM::Role          | FilePublishingRole
CDKToolkit |  2/12 | 22:02:28 | DELETE_IN_PROGRESS   | AWS::ECR::Repository    | ContainerAssetsRepository
CDKToolkit |  2/12 | 22:02:28 | DELETE_IN_PROGRESS   | AWS::IAM::Role          | ImagePublishingRole
CDKToolkit |  2/12 | 22:02:28 | DELETE_IN_PROGRESS   | AWS::IAM::Role          | CloudFormationExecutionRole
CDKToolkit |  2/12 | 22:02:28 | DELETE_IN_PROGRESS   | AWS::IAM::Role          | LookupRole
CDKToolkit |  2/12 | 22:02:28 | DELETE_SKIPPED       | AWS::S3::Bucket         | StagingBucket
CDKToolkit |  1/12 | 22:02:29 | DELETE_COMPLETE      | AWS::ECR::Repository    | ContainerAssetsRepository
CDKToolkit |  0/12 | 22:02:29 | DELETE_COMPLETE      | AWS::SSM::Parameter     | CdkBootstrapVersion
CDKToolkit |  0/12 | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DetachRolePolicy on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DetachRolePolicy action (Service: Iam, Status Code: 403, Request ID: 9e9cb0fc-428d-4254-86d5-a51cc9086266)" (RequestToken: f4e7cf81-5ac9-1aac-eb40-86853d9d57ac, HandlerErrorCode: AccessDenied)
CDKToolkit |  0/12 | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | LookupRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRolePolicy on resource: role cdk-hnb659fds-lookup-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRolePolicy action (Service: Iam, Status Code: 403, Request ID: e077cb02-898e-4175-92ac-687f844d8919)" (RequestToken: f6715cee-9b33-cecb-1572-1641fd654156, HandlerErrorCode: AccessDenied)
CDKToolkit |  0/12 | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 71c798ab-e31d-4ffa-9954-e23bc0d389f8)" (RequestToken: acff83e5-213e-f76d-a9dd-46fdae365ca2, HandlerErrorCode: AccessDenied)
CDKToolkit |  0/12 | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 622953fc-b92f-4dbc-a3a9-06983f5d05c7)" (RequestToken: 14fa52d0-7b13-ff49-4d93-e223e7a88495, HandlerErrorCode: AccessDenied)
CDKToolkit |  0/12 | 22:02:29 | ROLLBACK_FAILED      | AWS::CloudFormation::Stack | CDKToolkit The following resource(s) failed to delete: [ImagePublishingRole, FilePublishingRole, LookupRole, CloudFormationExecutionRole].

Failed resources:
CDKToolkit | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:26 | CREATE_FAILED        | AWS::IAM::Role          | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | CloudFormationExecutionRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DetachRolePolicy on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DetachRolePolicy action (Service: Iam, Status Code: 403, Request ID: 9e9cb0fc-428d-4254-86d5-a51cc9086266)" (RequestToken: f4e7cf81-5ac9-1aac-eb40-86853d9d57ac, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | LookupRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRolePolicy on resource: role cdk-hnb659fds-lookup-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRolePolicy action (Service: Iam, Status Code: 403, Request ID: e077cb02-898e-4175-92ac-687f844d8919)" (RequestToken: f6715cee-9b33-cecb-1572-1641fd654156, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | ImagePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 71c798ab-e31d-4ffa-9954-e23bc0d389f8)" (RequestToken: acff83e5-213e-f76d-a9dd-46fdae365ca2, HandlerErrorCode: AccessDenied)
CDKToolkit | 22:02:29 | DELETE_FAILED        | AWS::IAM::Role          | FilePublishingRole Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:DeleteRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:DeleteRole action (Service: Iam, Status Code: 403, Request ID: 622953fc-b92f-4dbc-a3a9-06983f5d05c7)" (RequestToken: 14fa52d0-7b13-ff49-4d93-e223e7a88495, HandlerErrorCode: AccessDenied)
 ❌  Environment aws://341538367464/eu-west-2 failed bootstrapping: Error: The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_FAILED (The following resource(s) failed to delete: [ImagePublishingRole, FilePublishingRole, LookupRole, CloudFormationExecutionRole]. ): Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)
    at FullCloudFormationDeployment.monitorDeployment (/opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:452:10567)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async /opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:457:2348
    at async Promise.all (index 0)
    at async CdkToolkit.bootstrap (/opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:457:2193)
    at async exec4 (/opt/homebrew/lib/node_modules/cdk/node_modules/aws-cdk/lib/index.js:510:54361)
[22:02:33] Reading cached notices from /Users/matt/.cdk/cache/notices.json

The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_FAILED (The following resource(s) failed to delete: [ImagePublishingRole, FilePublishingRole, LookupRole, CloudFormationExecutionRole]. ): Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-image-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: 2014b22d-8e58-43c3-82d0-4fe2a2f66841)" (RequestToken: 97cd1be4-fb19-c351-1288-81b9dc831d27, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-cfn-exec-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: a4284144-c727-49f2-ac12-affba48f6f5d)" (RequestToken: 77b10dc8-23a5-6bc0-310f-f04f08c1e06a, HandlerErrorCode: AccessDenied), Resource handler returned message: "User: arn:aws:iam::341538367464:user/matt is not authorized to perform: iam:GetRole on resource: role cdk-hnb659fds-file-publishing-role-341538367464-eu-west-2 because no identity-based policy allows the iam:GetRole action (Service: Iam, Status Code: 403, Request ID: b1bb91a6-005f-4b5e-a3bf-d8bed38bdfab)" (RequestToken: 787b7de0-8f3d-67ac-2c0e-299af18fee61, HandlerErrorCode: AccessDenied)

@fidothe
Copy link

fidothe commented Sep 1, 2024

@peterwoodworth If I re-run the cdk bootstrap using a traditional IAM user with the same canned AdministratorAccess permissions instead of an IAM Identity Center user, it bootstraps fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fidothe @c0debreaker @peterwoodworth