Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(core): SdkProvider.forEnvironment uses wrong credentials in Bitbucket with OIDC #29100

Open
kornicameister opened this issue Feb 14, 2024 · 2 comments
Open

(core): SdkProvider.forEnvironment uses wrong credentials in Bitbucket with OIDC #29100

kornicameister opened this issue Feb 14, 2024 · 2 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@kornicameister
Copy link
Contributor

Describe the bug

I am using Bitbucket pipelines and my authorization is configured via OIDC. I can, without any issue deploy the stacks and other artifacts using configured role.

Stack deployments happen via CDK's exec role that CICD role is able to assume.
For sake of the bug let's assume:

  • CICD account 000000 configured OIDC role for Bitbucket
  • Test account 1111111 has CDK toolkit configured

If I do not make an attempt to use --hotswap-fallback I can deploy from CICD without a problem.
The moment I try to use it I get:

stack-name (stack-name-pr-90) failed: Error: Need to perform AWS calls for account 1111111, but the current credentials are for 000000
    at SdkProvider.forEnvironment (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:391:13242)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async tryHotswapDeployment (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:422:17368)
    at async deployStack (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:428:652)
    at async Object.deployStack2 [as deployStack] (/opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:431:196745)
    at async /opt/nodenv/versions/18.16.0/lib/node_modules/aws-cdk/lib/index.js:431:178714

It seems the problem lies in how SdkProvider.forEnvironment works.

What is quite important to mention is the this error happens at the end of the pipeline. Before that error I have bunch of activity related to publishing assets into deployment account 1111111 and those calls work perfectly:

[09:00:27] Checking for previously published assets
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:27] Retrieved account ID 0000000 from disk cache
[09:00:27] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:00:28] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:00:28] Retrieved account ID 0000000 from disk cache
[09:00:28] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-image-publishing-role-11111111-eu-central-1'.
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:00:29] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:00:29] stack-name-pr-90:  check: Check 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:00:30] stack-name-pr-90:  found: Found 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:00:30] 15 total assets, 0 still need to be published
ays-reseller-cms-api-testing (stack-name-pr-90): deploying... [1/1]
[09:00:30] Retrieved account ID 0000000 from disk cache
[09:00:31] Call failed: describeStacks({"StackName":"stack-name-pr-90"}) => Stack with id stack-name-pr-90 does not exist (code=ValidationError)
[09:00:31] stack-name-pr-90: checking if we can skip deploy
[09:00:31] stack-name-pr-90: no existing stack
[09:00:31] stack-name-pr-90: deploying...

Below you can find logs from execution without --hotswap-fallback:

[09:44:50] Checking for previously published assets
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:50] Retrieved account ID 0000000 from disk cache
[09:44:50] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-deploy-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-file-publishing-role-11111111-eu-central-1'.
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/445b47cac0f03c1b2b5e1be6d8762bdaaadd130687437c0d1c7e88c16d1c0e56.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/dc879756c9a7b5b3af68fcbb8a633275a1ad8d190929d3eb55e1393590f0ce5b.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/5c1d58ebd977291c45b2646721aa00ce1ad0b8efa40df79f7b243697f3306c4b.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/e7772f35ed0399dc5c3c63263201373b403fe2d284b3ef0a1ca45d353bf44a35.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ece017a7d7cfba4a1602f6d267cf5a02781708db95bbf4ff8c2394796f26b7a2.zip
[09:44:51] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/8eb784375b8a4c4eec86a265e6fcd2ab539c0ff358182ea540182553d721fe89.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:44:51] Retrieved account ID 0000000 from disk cache
[09:44:51] stack-name-pr-90:  check: Check s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/6ffeca570bf9f86ad7b474090e4e9665ceb3af8c09c14a66474d960704bbfae8.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/626dbc8c0bcd5dd56c8323b61d34473bec15ac3a05a671ecfb2d1e2206490d74.zip
[09:44:52] Retrieved account ID 0000000 from disk cache
[09:44:52] Retrieved account ID 0000000 from disk cache
[09:44:52] Assuming role 'arn:aws:iam::11111111:role/cdk-qualifier-image-publishing-role-11111111-eu-central-1'.
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/4e26bf2d0a26f2097fb2b261f22bb51e3f6b4b52635777b1e54edbd8e2d58c35.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/ed6cd104ff5f101d06dae8cb2b87cc6e6d69b9a22055b467ea6cae10ff023023.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/0623021303f8d4711bd1c6b5fef4fc09e47d2f7d0c91b1de27e328b2fa2c1353.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/03a5fdac07533a45682cb5c7e05b6dba8d80a76985eb34da25350ba445e6d8bf.json
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip
[09:44:52] stack-name-pr-90:  found: Found s3://cdk-qualifier-assets-11111111-eu-central-1/28ac8c854935e8e499681b98f1ce0ed3c74dadbc103b835f9cfa4d3a67e08b07.zip
[09:44:52] stack-name-pr-90:  check: Check 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:44:53] stack-name-pr-90:  found: Found 11111111.dkr.ecr.eu-central-1.amazonaws.com/cdk-qualifier-container-assets-11111111-eu-central-1:ays-94cdc63de163e510376a5cef5134ac3473303f8c79fafe26284d735ee412456f
[09:44:53] 15 total assets, 0 still need to be published
ays-reseller-cms-api-testing (stack-name-pr-90): deploying... [1/1]
[09:44:53] Retrieved account ID 0000000 from disk cache
[09:44:54] Call failed: describeStacks({"StackName":"stack-name-pr-90"}) => Stack with id stack-name-pr-90 does not exist (code=ValidationError)
[09:44:54] stack-name-pr-90: checking if we can skip deploy
[09:44:54] stack-name-pr-90: no existing stack
[09:44:54] stack-name-pr-90: deploying...
[09:44:54] Attempting to create ChangeSet with name cdk-deploy-change-set to create stack stack-name-pr-90
stack-name-pr-90: creating CloudFormation changeset...
[09:44:55] Initiated creation of changeset: arn:aws:cloudformation:eu-central-1:11111111:changeSet/cdk-deploy-change-set/d1cf9d21-17ef-4be3-aa44-a86069931c26; waiting for it to finish creating...
[09:44:55] Waiting for changeset cdk-deploy-change-set on stack stack-name-pr-90 to finish creating...
[09:44:55] Changeset cdk-deploy-change-set on stack stack-name-pr-90 is still creating
[09:45:01] Changeset cdk-deploy-change-set on stack stack-name-pr-90 is still creating
[09:45:06] Changeset cdk-deploy-change-set on stack stack-name-pr-90 is still creating
[09:45:13] Initiating execution of changeset arn:aws:cloudformation:eu-central-1:11111111:changeSet/cdk-deploy-change-set/d1cf9d21-17ef-4be3-aa44-a86069931c26 on stack stack-name-pr-90
[09:45:14] Execution of changeset arn:aws:cloudformation:eu-central-1:11111111:changeSet/cdk-deploy-change-set/d1cf9d21-17ef-4be3-aa44-a86069931c26 on stack stack-name-pr-90 has started; waiting for the update to complete...
[09:45:14] Waiting for stack stack-name-pr-90 to finish creating or updating...
[09:45:14] Stack stack-name-pr-90 has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS (User Initiated))
[09:45:20] Stack stack-name-pr-90 has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS)
stack-name-pr-90 |   0/136 | 9:44:55 AM | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack                    | stack-name-pr-90 User Initiated
stack-name-pr-90 |   0/136 | 9:45:14 AM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack                    | stack-name-pr-90 User Initiated
[09:45:25] Stack stack-name-pr-90 has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS)

Expected Behavior

I can use --hotswap-fallback in CICD environment of Bitbucket that is using OIDC authorization.

Current Behavior

Stack cannot be deployed with --hotswap-fallback

Reproduction Steps

N/A

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.121.1

Framework Version

No response

Node.js Version

20.8

OS

Debian (BB Pipeline)

Language

TypeScript

Language Version

No response

Other information

No response
@kornicameister kornicameister added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Feb 14, 2024
@pahud
Copy link
Contributor

pahud commented Feb 14, 2024
edited
Loading

CICD account 000000 configured OIDC role for Bitbucket
Test account 1111111 has CDK toolkit configured

So your pipeline account is 000000 and deploying account is 1111111.

How did you bootstrap the account 1111111? Did you add the --trust and --trust-for-lookup for 000000 ?

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2024
@kornicameister
Copy link
Contributor Author

It's not pipeline account per se.
000000 configures the CICD role that is used inside bitbucket pipelines.
Said role can work with CDK toolkit that's deployed in 1111111.

And yes, the parameters you've mentioned had been set between the accounts.

Here's the piece of code from my codebase that deploys the OUs and accounts:

    if (props.cicdAccount) {
      parameters = {
        ...parameters,
        TrustedAccounts: [props.cicdAccount],
      };
    }
    const tpl = new CfnInclude(this, 'BootstrapTemplate', {
      templateFile: 'bootstrap/bootstrap.yml',
      preserveLogicalIds: false,
      parameters: {
        ...parameters,
        Qualifier: qualifier,
      },
    });

bootstrap.yml is the CFN template that cdk boostrap generates.
I am utilizing stack sets to deploy same CDK toolkit to numerous accounts at a time.

@github-actions github-actions bot mentioned this issue Mar 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @kornicameister