- Newest
- Most votes
- Most comments
Probably the best thing to do is provide your clients a CloudFormation template that they can use to bootstrap the account for you. The following command will generate a CDK bootstrap template (note: it's a good idea to add a qualifier to the toolkit so you don't conflict with other toolkits in the same account)
cdk bootstrap --qualifier acme-corp --show-template > bootstrap-template.yaml
There are 4 required roles (deployment, file asset, image asset and cloudformation exec). CDK will lookup these roles by their names. Whatever principal you authenticate to your client's account with must have access to assume the deployment role.
Note that the cloudformation exec role has excessive access by default.
But, if you really want a way around this I would look at creating a custom synthesizer. I've never done this before but I think you could set all 4 roles to be the same principal you already have access to: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-custom-synth
Hi there, thank you for your question. What you could do, is customise the templates you are deploying using the CDK. For example, refer to the bootstrapping guide: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html You can get the bootstrap-template.yaml
by using this command:
cdk bootstrap --show-template > bootstrap-template.yaml
You can then edit the bootstrap-template.yaml
file according to your needs, and deploy it yourself. If you choose to create those roles yourself, you can refer to them in the CloudFormation template.
It's possible to use CDK, run cdk synth
to generate the Cloudformation, and to use that to deploy without the bootstrap stack. This was done with CDKv1.
It's slightly painful, but I have needed to do this in the past where the environment required 'pure' CloudFormation deployment via CodePipeline and assuming a role within the target account wasn't permitted.
The CDK stack was synthesised, then aws cloudformation package
was used to upload the stacks and assets to the single deployment bucket the organisation deploy setup uses.
Some resources had to be imported with different resource types, in particular VPCs and Route53 domains. Sometimes when importing you had to use features of CDK.Token
to reassure the process an imported value was a number.
As was suggested by another poster, a Custom Bootstrapping setup may be the appropriate way to do this.
Hi,
We strongly recommend against using your main AWS account for day-to-day tasks. Instead, create a user in IAM and use its credentials with the CDK.
The CDK Toolkit needs to know your AWS account credentials and the AWS region into which you are deploying, not only for deployment operations but also to retrieve context values during synthesis. Together, your account and region make up the environment. refer- https://docs.aws.amazon.com/cdk/v2/guide/cli.html
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago
FYI in CDK V2 cli you can use the --trust parameter to allow assuming the role from another account. https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing