I'm fairly new (today its the first day) with Amazon CDK. I have been currently following the initial tutorial in Amazon's CDK page.
I have installed aws and cdk:
aws --version
aws-cli/2.2.5 Python/3.8.8 Linux/5.11.0-43-generic exe/x86_64.ubuntu.20 prompt/off
cdk --version
2.3.0 (build beaa5b2)
I have added the following code to create a simple lambda function:
notifyTodoScheduleFullDay/bin/notify_todo_schedule_full_day.ts
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { NotifyTodoScheduleFullDayStack } from '../lib/notify_todo_schedule_full_day-stack';
const app = new cdk.App();
new NotifyTodoScheduleFullDayStack(app, 'NotifyTodoScheduleFullDayStack', {});
notifyTodoScheduleFullDay/lib/notify_todo_schedule_full_day-stack.ts
import * as cdk from 'aws-cdk-lib';
import { aws_lambda_nodejs as lambda } from 'aws-cdk-lib';
export class NotifyTodoScheduleFullDayStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new lambda.NodejsFunction(this, "notifyTodoScheduleFullDay", {
entry: "src/index.ts",
handler: "handler",
bundling: {
minify: true, // minify code, defaults to false
target: 'es2020', // target environment for the generated JavaScript code
define: { // Replace strings during build time
'process.env.API_KEY': JSON.stringify('xxx-xxxx-xxx'),
'process.env.PRODUCTION': JSON.stringify(true),
'process.env.NUMBER': JSON.stringify(123),
},
logLevel: lambda.LogLevel.WARNING, // defaults to LogLevel.WARNING
charset: lambda.Charset.UTF8, // do not escape non-ASCII characters, defaults to Charset.ASCII
},
});
}
}
notifyTodoScheduleFullDay/src/index.ts
export const handler = () => {
return {
statusCode: 200,
headers: {},
body: "This is a test"
}
}
Now when I run cdk synth:
...
Successfully built 02d6914d6b53
Successfully tagged cdk-8fdc30cb2c9ed412046010e799d65c0ea32740bedc9d91b938c57d400ad7b53e:latest
Bundling asset NotifyTodoScheduleFullDayStack/notifyTodoScheduleFullDay/Code/Stage...
esbuild cannot run locally. Switching to Docker bundling.
Resources:
notifyTodoScheduleFullDayServiceRoleC004AA77:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Metadata:
aws:cdk:path: NotifyTodoScheduleFullDayStack/notifyTodoScheduleFullDay/ServiceRole/Resource
notifyTodoScheduleFullDay200FABC6:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket:
Fn::Sub: cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}
S3Key: da842e2df006207da8989140b01b302408f071b2f74188cae1f4624fd056614f.zip
Role:
Fn::GetAtt:
- notifyTodoScheduleFullDayServiceRoleC004AA77
- Arn
Environment:
Variables:
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
Handler: index.handler
Runtime: nodejs14.x
DependsOn:
- notifyTodoScheduleFullDayServiceRoleC004AA77
Metadata:
aws:cdk:path: NotifyTodoScheduleFullDayStack/notifyTodoScheduleFullDay/Resource
aws:asset:path: asset.da842e2df006207da8989140b01b302408f071b2f74188cae1f4624fd056614f
aws:asset:is-bundled: true
aws:asset:property: Code
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/zWOzQ6CMAyAn4X7qCImnoXEowd8ADK2SspPl9BND4R3d4x4+tLmy9deoIRzpr+SGzvmE3Wwvrw2o4qrdp303FndsrM4CDwTHoGNJ8eK9Axr4yZU9Zt3bkrKVougF7jviDNUwYzoKy2ojhpE+9/YVPLixZ64Tx0UFxaTmrVjS4e2fwCDnD7FFYobFNkgRPkS2NOM0Bz8Aem4EiHMAAAA
Metadata:
aws:cdk:path: NotifyTodoScheduleFullDayStack/CDKMetadata/Default
Condition: CDKMetadataAvailable
Conditions:
CDKMetadataAvailable:
Fn::Or:
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- af-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-east-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-2
- Fn::Equals:
- Ref: AWS::Region
- ap-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-2
- Fn::Equals:
- Ref: AWS::Region
- ca-central-1
- Fn::Equals:
- Ref: AWS::Region
- cn-north-1
- Fn::Equals:
- Ref: AWS::Region
- cn-northwest-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- eu-central-1
- Fn::Equals:
- Ref: AWS::Region
- eu-north-1
- Fn::Equals:
- Ref: AWS::Region
- eu-south-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-2
- Fn::Equals:
- Ref: AWS::Region
- eu-west-3
- Fn::Equals:
- Ref: AWS::Region
- me-south-1
- Fn::Equals:
- Ref: AWS::Region
- sa-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-2
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- us-west-1
- Fn::Equals:
- Ref: AWS::Region
- us-west-2
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
CheckBootstrapVersion:
Assertions:
- Assert:
Fn::Not:
- Fn::Contains:
- - "1"
- "2"
- "3"
- "4"
- "5"
- Ref: BootstrapVersion
AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.
Now when I try to deploy with cdk deploy --profile xxxx I get:
...
current credentials could not be used to assume 'arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-central-1', but are for the right account. Proceeding anyway.
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:
IAM Statement Changes
┌───┬──────────────────────────────────────────────┬────────┬────────────────┬──────────────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼──────────────────────────────────────────────┼────────┼────────────────┼──────────────────────────────┼───────────┤
│ + │ ${notifyTodoScheduleFullDay/ServiceRole.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
└───┴──────────────────────────────────────────────┴────────┴────────────────┴──────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬──────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼──────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${notifyTodoScheduleFullDay/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴──────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Do you wish to deploy these changes (y/n)? y
NotifyTodoScheduleFullDayStack: deploying...
current credentials could not be used to assume 'arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-central-1', but are for the right account. Proceeding anyway.
Could not read SSM parameter /cdk-bootstrap/hnb659fds/version: User: arn:aws:iam::359163713835:user/lambda-functions is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:359163713835:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
❌ NotifyTodoScheduleFullDayStack failed: Error: NotifyTodoScheduleFullDayStack: This CDK deployment requires bootstrap stack version '6', found an older version. Please run 'cdk bootstrap'.
at CloudFormationDeployments.validateBootstrapStackVersion (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:323:13)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at CloudFormationDeployments.publishStackAssets (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:298:7)
at CloudFormationDeployments.deployStack (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:202:5)
at CdkToolkit.deploy (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
at initCommandLine (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/bin/cdk.ts:267:9)
NotifyTodoScheduleFullDayStack: This CDK deployment requires bootstrap stack version '6', found an older version. Please run 'cdk bootstrap'.
What exactly is going on? Why am I not being able to deploy my stack?
cdk bootstrap
Sending build context to Docker daemon 138.2kB
Step 1/12 : ARG IMAGE=public.ecr.aws/sam/build-nodejs14.x
Step 2/12 : FROM $IMAGE
---> 3147f2b9c981
Step 3/12 : RUN npm install --global yarn@1.22.5
---> Using cache
---> bf8f25f59972
Step 4/12 : RUN npm install --global pnpm
---> Using cache
---> 4310f7c1d337
Step 5/12 : RUN npm install --global typescript
---> Using cache
---> 8380434f397e
Step 6/12 : ARG ESBUILD_VERSION=0
---> Using cache
---> 1acd8da9c4f4
Step 7/12 : RUN npm install --global --unsafe-perm=true esbuild@$ESBUILD_VERSION
---> Using cache
---> 9cc9743c5a2f
Step 8/12 : RUN mkdir /tmp/npm-cache && chmod -R 777 /tmp/npm-cache && npm config --global set cache /tmp/npm-cache
---> Using cache
---> 5b9c8267e6a7
Step 9/12 : RUN mkdir /tmp/yarn-cache && chmod -R 777 /tmp/yarn-cache && yarn config set cache-folder /tmp/yarn-cache
---> Using cache
---> 71ea1be33795
Step 10/12 : RUN npm config --global set update-notifier false
---> Using cache
---> f7ea8d8d458a
Step 11/12 : RUN /sbin/useradd -u 1000 user && chmod 711 /
---> Using cache
---> c663ca63d996
Step 12/12 : CMD [ "esbuild" ]
---> Using cache
---> 02d6914d6b53
Successfully built 02d6914d6b53
Successfully tagged cdk-8fdc30cb2c9ed412046010e799d65c0ea32740bedc9d91b938c57d400ad7b53e:latest
⏳ Bootstrapping environment aws://835950464690/eu-central-1...
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
Running aws ssm get-parameter --name /cdk-bootstrap/hnb659fds/version --profile xxxxx --region eu-west-2 gives me:
An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:iam::359163713835:user/lambda-functions is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-2:359163713835:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
After help from @gshpychka I have noticed that it was missing some permissions. I have setup the AmazonSSMFullAccess and AWSLambda_FullAccess in my users account. Now the error original to this question has gone away. Now the error I'm getting is:
$ cdk deploy --profile todozito-lambda-functions
Reading existing template for stack NotifyTodoScheduleFullDayStack.
Retrieved account ID 359163713835 from disk cache
Assuming role 'arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-west-2'.
Assuming role failed: User: arn:aws:iam::359163713835:user/lambda-functions is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-west-2
Could not assume role in target account using current credentials User: arn:aws:iam::359163713835:user/lambda-functions is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
current credentials could not be used to assume 'arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-west-2', but are for the right account. Proceeding anyway.
Call failed: describeStacks({"StackName":"NotifyTodoScheduleFullDayStack"}) => Stack with id NotifyTodoScheduleFullDayStack does not exist (code=ValidationError)
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:
IAM Statement Changes
┌───┬──────────────────────────────────────────────┬────────┬────────────────┬──────────────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼──────────────────────────────────────────────┼────────┼────────────────┼──────────────────────────────┼───────────┤
│ + │ ${notifyTodoScheduleFullDay/ServiceRole.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
└───┴──────────────────────────────────────────────┴────────┴────────────────┴──────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬──────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼──────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${notifyTodoScheduleFullDay/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴──────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Do you wish to deploy these changes (y/n)? y
NotifyTodoScheduleFullDayStack: deploying...
current credentials could not be used to assume 'arn:aws:iam::359163713835:role/cdk-hnb659fds-deploy-role-359163713835-eu-west-2', but are for the right account. Proceeding anyway.
❌ NotifyTodoScheduleFullDayStack failed: Error: NotifyTodoScheduleFullDayStack: SSM parameter /cdk-bootstrap/hnb659fds/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)
at CloudFormationDeployments.validateBootstrapStackVersion (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:323:13)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at CloudFormationDeployments.publishStackAssets (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:298:7)
at CloudFormationDeployments.deployStack (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:202:5)
at CdkToolkit.deploy (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
at initCommandLine (/usr/local/lib/node_modules/cdk/node_modules/aws-cdk/bin/cdk.ts:267:9)
NotifyTodoScheduleFullDayStack: SSM parameter /cdk-bootstrap/hnb659fds/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)
See https://github.com/aws/aws-cdk/issues/17942
And https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html
The version assertion warning is not related to your bootstrap version being old, its asserting it is not old. Look at SSM parameters in us-east-1. Run with --debug