https://serverless-stack.com/ logo
#help
Title
# help
e

Erik Robertson

03/17/2022, 11:28 AM
Hello all. I updated SST to 0.69 along with all my other packages. Everything was working well until then. I'm running into this erorr upon sst start :
current credentials could not be used to assume 'arn:aws:iam::055101007100:role/cdk-hnb659fds-deploy-role-XXX-us-west-2', but are for the right account. Proceeding anyway.
❌  DEV-ERIK-dwam-back-debug-stack failed: Error: DEV-ERIK-dwam-back-debug-stack: User: arn:aws:iam::XXX:user/dev_admin is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:XXX:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
I am already passing a --role-arn parameter to sst start which has that ssm permission and it worked well using that role to build the debug stack but it's apparently not using it for deploying. Based on the first line I have also tried to give the iam:passRole also to that CDK role but that didn't change anything either... Any help is appreciated.
f

Frank

03/17/2022, 8:29 PM
Hey @Erik Robertson, did this started happening after updating to 0.69.0?
e

Erik Robertson

03/17/2022, 8:41 PM
Yes @Frank that is correct
f

Frank

03/17/2022, 8:42 PM
I see. Which version were u on that worked?
And can i see how u r calling
sst start
with role arn?
e

Erik Robertson

03/17/2022, 10:27 PM
I see that the last time I updated sst was on Jan 5th, so whatever was latest back then. And here's my sst start call (which worked perfectly in the past BTW): sst start --role-arn arnawsiamXXXrole/DWAM-SST-CloudFormation-Role(XXX is my account #)
f

Frank

03/17/2022, 11:39 PM
Ah I see. So we moved from using CDK v1 to CDK v2 in 0.59.0, which was released on Jan 13. So you were most likely on CDK v1 before.
CDK made some changes to its internal bootstrap stack, and now requires a few additional permissions.
Can you try granting the
ssm:GetParameter
permission to the IAM user
arn:aws:iam::XXX:user/dev_admin
?
e

Erik Robertson

03/18/2022, 12:30 AM
Indeed I did already do a number of changes earlier today in regards to CDK V2. Until that error, all had gone well (to build the stack) by doing those changes in the role only. I will test your recommendation tomorrow (1.30am over here and in bed!) and I imagine it will work but would have liked to avoid user level changes... Will let you know.
So that worked fine. Beyond that things went pretty smoothly once I adjusted a few more things for CDK v2. I just tried removing the entire stack and rebuilding it without any issue.
12 Views