Skip to content

feat(cli): add sts:TagSession permission to trusted accounts on bootstrap #762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(cli): add sts:TagSession permission to trusted accounts on bootstrap #762

wants to merge 1 commit into from

Conversation

antonu17
Copy link

@antonu17 antonu17 commented Aug 3, 2025
edited
Loading

Description

Accounts bootstrapped with --trust or --trust-for-lookup need sts:TagSession permissions in AssumeRolePolicy.

I got errors during cdk deploy run in CD pipelines executed on EKS cluster on the trusted account.

Error message:
Could not assume role in target account using current credentials (which are for account <TRUSTED_ACCOUT>) User: arn:aws:sts::<TRUSTED_ACCOUT>:assumed-role/<eks-pod-role> is not authorized to perform: sts:TagSession on resource: arn:aws:iam::<TARGET_ACCOUNT>:role/cdk-hnb659fds-lookup-role-<TARGET_ACCOUNT>-us-east-1

Troubleshooting revealed that DeploymentActionRole, FilePublishingRole, ImagePublishingRole, LookupRole don't have sts:TagSession. After updating AssumeRolePolicy cdk deploy worked normally.

Fixes aws/aws-cdk#31557

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team August 3, 2025 17:03
@github-actions github-actions bot added the p2 label Aug 3, 2025
@antonu17 antonu17 changed the title feat(cli): add sts:TagSession permission to trusted accounts feat(cli): add sts:TagSession permission to trusted accounts on bootstrap Aug 3, 2025
@codecov-commenter
Copy link

codecov-commenter commented Aug 5, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.21%. Comparing base (9f8d2ec) to head (0a5e3a0).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #762      +/-   ##
==========================================
+ Coverage   81.16%   81.21%   +0.04%     
==========================================
  Files          61       61              
  Lines        8267     8267              
  Branches      952      950       -2     
==========================================
+ Hits         6710     6714       +4     
+ Misses       1529     1528       -1     
+ Partials       28       25       -3
Flag Coverage Δ
suite.unit 81.21% <ø> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

core: Allow sts:TagSession to trusted accounts
2 participants
@antonu17 @codecov-commenter