-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(cli): cross account asset upload no longer works #12155
Conversation
cdk_asset asset handlers use IAws to make calls to AWS APIs to discover information about target environment: account id, region, partition. Each asset is described by its manifest in a Cloud Assembly. This manifest can contain placeholders to resolved by asset handlers when publishing assets. Previously `${Aws::Partition}` placeholder was derived from a code path used to resolve `${Aws::AccountId}`, which was introducing a cyclic dependency for cross account deployments: - to replace partition placeholder it was assuming role in a target account to discover partition - to assume role in a target account it needs to know full role ARN to assume - role ARN contains partition placeholder It was working for same account deployments and for non environment aware deployments, because SdkProvider was always using current default (ambient) credentials without making `AssumeRole` call, thus it was able to replace placeholders in asset manifest without introducing a cyclic dependency. To fix cross account deployments we introduce `IAWS.discoverPartition()` method to return partition of default (ambient) credentials `cdk deploy` is called with. This works, because cross partition `AssumeRole` calls are not possible, therefore it's enough to know our default credentials partition.
You're a saint! ❤️ |
Pull request has been modified.
@rix0rrr , validate-pr check is stuck :( |
@rix0rrr , you approved this PR to be merged, but it is stuck on |
Maybe rebase the branch to re-run the PR checks? |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@rix0rrr , would you mind to approve it again, only change is that I merged master to retrigger checks, because validate-pr was stuck |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
cdk_asset asset handlers use IAws to make calls to AWS APIs to discover
information about target environment: account id, region, partition.
Each asset is described by its manifest in a Cloud Assembly. This manifest
can contain placeholders to resolve by asset handlers when publishing
assets.
Previously
${Aws::Partition}
placeholder was derived from a code path usedto resolve
${Aws::AccountId}
, which was introducing a cyclic dependency forcross account deployments:
to discover partition
It was working for same account deployments and for non environment aware deployments,
because SdkProvider was always using current default (ambient) credentials without making
AssumeRole
call, thus it was able to replace placeholders in asset manifest withoutintroducing a cyclic dependency.
To fix cross account deployments we introduce
IAWS.discoverPartition()
method to returnpartition of default (ambient) credentials
cdk deploy
is called with. This works, becausecross partition
AssumeRole
calls are not possible, therefore it's enough to know ourdefault credentials partition.
Fixes #12151
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license