fix(cli): cross account asset upload no longer works #12155
Conversation
cdk_asset asset handlers use IAws to make calls to AWS APIs to discover
information about target environment: account id, region, partition.
Each asset is described by its manifest in a Cloud Assembly. This manifest
can contain placeholders to resolved by asset handlers when publishing
assets.
Previously `${Aws::Partition}` placeholder was derived from a code path used
to resolve `${Aws::AccountId}`, which was introducing a cyclic dependency for
cross account deployments:
- to replace partition placeholder it was assuming role in a target account
to discover partition
- to assume role in a target account it needs to know full role ARN to assume
- role ARN contains partition placeholder
It was working for same account deployments and for non environment aware deployments,
because SdkProvider was always using current default (ambient) credentials without making
`AssumeRole` call, thus it was able to replace placeholders in asset manifest without
introducing a cyclic dependency.
To fix cross account deployments we introduce `IAWS.discoverPartition()` method to return
partition of default (ambient) credentials `cdk deploy` is called with. This works, because
cross partition `AssumeRole` calls are not possible, therefore it's enough to know our
default credentials partition.
|
|
|
You're a saint! ❤️ |
mergify
bot
dismissed
rix0rrr’s stale review
Pull request has been modified.
|
@rix0rrr , validate-pr check is stuck :( |
|
@rix0rrr , you approved this PR to be merged, but it is stuck on |
|
Maybe rebase the branch to re-run the PR checks? |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@rix0rrr , would you mind to approve it again, only change is that I merged master to retrigger checks, because validate-pr was stuck |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
cdk_asset asset handlers use IAws to make calls to AWS APIs to discover
information about target environment: account id, region, partition.
Each asset is described by its manifest in a Cloud Assembly. This manifest
can contain placeholders to resolve by asset handlers when publishing
assets.
Previously
${Aws::Partition}placeholder was derived from a code path usedto resolve
${Aws::AccountId}, which was introducing a cyclic dependency forcross account deployments:
to discover partition
It was working for same account deployments and for non environment aware deployments,
because SdkProvider was always using current default (ambient) credentials without making
AssumeRolecall, thus it was able to replace placeholders in asset manifest withoutintroducing a cyclic dependency.
To fix cross account deployments we introduce
IAWS.discoverPartition()method to returnpartition of default (ambient) credentials
cdk deployis called with. This works, becausecross partition
AssumeRolecalls are not possible, therefore it's enough to know ourdefault credentials partition.
Fixes #12151
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license