AWS DevOps & Developer Productivity Blog
Automating cross-account actions with an AWS CDK credential plugin
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to model and provision your cloud application resources using familiar programming languages. You can automate release pipelines for your infrastructure defined by the AWS CDK by using tools such as AWS CodePipeline. As the architecture for your application becomes more complex, so too can your release pipelines.
When you first create an AWS CDK application, you define a top-level AWS CDK app. Within the app, you typically define one or more stacks, which are the unit of deployment, analogous to AWS CloudFormation stacks. Each stack instance in your AWS CDK app is explicitly or implicitly associated with an environment (env). An environment is the target AWS account and Region into which you intend to deploy the stack. When you attempt to deploy an AWS CDK app that contains multiple environments, managing the credentials for each environment can become difficult and usually involves using custom scripts.
This post shows how to use an AWS CDK credential plugin to simplify and streamline deploying AWS CDK apps that contain multiple stacks to deploy to multiple environments. This post assumes that you are explicitly associating your stacks with an environment and may not work with environment-agnostic stacks.
AWS CDK credential plugin overview
AWS CDK allows the use of plugins during the credential process. By default, it looks for default credentials in a few different places. For more information, see Prerequisites. When you run an AWS CDK command such as synth or deploy, the AWS CDK CLI needs to perform actions against the AWS account that is defined for the stack. It attempts to use your default credentials, but what happens if you need credentials for multiple accounts? This is where credential plugins come into play. The basic flow that the AWS CDK CLI takes when obtaining credentials is as follows:
- Determine the environment for the stack.
- Look for credentials to use against that environment.
- If the default credentials match, the environment uses those.
- If the default credentials don’t match the environment, it loads any credential plugins and attempts to fetch credentials for the environment using those credential plugins.
Walkthrough overview
In this walkthrough, you use the cdk-assume-role-credential plugin to read information from multiple AWS accounts as part of the synthesis process. This post assumes you have the following three accounts:
- Shared services – Where you run the AWS CDK commands from. It has access to assume the role in the other two accounts. This is where you can also deploy a pipeline to automate the deployment of your AWS CDK app.
- Development application – The development environment (dev) for the application.
- Production application – The production environment (prod) for the application.
However, you can still follow the walkthrough if you only have access to the shared services and either the development or production accounts.
The walkthrough follows this high-level process:
- Download and install the plugin
- Create the required resources
- Use the plugin to synthesize CloudFormation templates for the dev and prod account.
The sample project used for this walkthrough is located on GitHub.
Prerequisites
For this walkthrough, you should have the following prerequisites:
- Access to at least the shared services and either the development or production account.
- AWS CDK installed with its prerequisites
- Familiarity with running AWS commands from the AWS CLI
Downloading and installing the plugin
The cdk-assume-role-credential plugin and sample code used in this post are on the GitHub repo. You need to first clone this repo locally and install the plugin as a global package.
- Download the GitHub project with the following code:
$ git clone https://github.com/aws-samples/cdk-assume-role-credential-plugin.git
- Install the plugin globally with the following code:
$ npm install -g git+https://github.com/aws-samples/cdk-assume-role-credential-plugin.git
Creating the required resources
Because this plugin uses pre-provisioned roles in the target account, you need to first create those roles. For this post, you create two AWS Identity and Access Management (IAM) roles with the default names that the plugin looks for:
- cdk-readOnlyRole – Has the ReadOnlyAccess AWS managed policy attached
- cdk-writeRole – Has the AdministratorAccess AWS managed policy attached
Both roles also are configured to trust the shared services account.
Before completing the following steps, make sure you have the account IDs for the three accounts and can obtain AWS CLI credentials for each account.
- Move to the sample-app folder:
$ cd cdk-assume-role-credential-plugin/aws-samples
- Install dependencies:
$ npm install
- Edit the bin/required-resources.ts file and fill in the account numbers where indicated:
new RequiredResourcesStack(app, 'dev', {
env: {
account: 'REPLACE_WITH_DEV_ACCOUNT_ID',
region: 'REPLACE_WITH_REGION'
},
trustedAccount: 'REPLACE_WITH_SHARED_SERVICES_ACCOUNT_ID'
});
new RequiredResourcesStack (app, 'prod', {
env: {
account: 'REPLACE_WITH_PROD_ACCOUNT_ID',
region: 'REPLACE_WITH_REGION'
},
trustedAccount: 'REPLACE_WITH_SHARED_SERVICES_ACCOUNT_ID'
});
- Build the AWS CDK app:
$ npm run build
- Using the AWS CLI credentials for the dev account, run cdk deploy to create the resources:
$ cdk deploy dev
- Using the AWS CLI credentials for the prod account, run cdk deploy to create the resources:
$ cdk deploy prod
Now you should have the required roles created in both the dev and prod accounts.
Synthesizing the AWS CDK app
Take a look at the sample app to see what it’s comprised of. When you open the bin/sample-app.ts file, you can see that the AWS CDK app is comprised of two SampleApp stacks: one deployed to the dev account in the us-east-2 region, and the other deployed to the prod account in the us-east-1 region. To synthesize the application, complete the following steps:
- Edit the bin/sample-app.ts file (fill in the account numbers where indicated):
const dev = { account: 'REPLACE_WITH_DEV_ACCOUNT_ID', region: 'us-east-2' }
const prod = { account: 'REPLACE_WITH_PROD_ACCOUNT_ID', region: 'us-east-1' }
new SampleApp(app, 'devSampleApp', { env: dev });
new SampleApp(app, 'prodSampleApp', { env: prod });
- Build the AWS CDK app:
$ npm run build
- Using the AWS CLI credentials for the shared services account, try to synthesize the app:
$ cdk synth –-app "npx ts-node bin/sample-app.ts"
You should receive an error message similar to the following code, which indicates that you don’t have credentials for the accounts specified:
[Error at /devSampleApp] Need to perform AWS calls for account 11111111111, but the current credentials are for 222222222222.
[Error at /prodSampleApp] Need to perform AWS calls for account 333333333333, but the current credentials are for 222222222222.
- Enter the code again, but this time tell it to use cdk-assume-role-credential-plugin:
$ cdk synth –-app "npx ts-node bin/sample-app.ts" –-plugin cdk-assume-role-credential-plugin
You should see the command succeed:
Successfully synthesized to /cdk.out
Supply a stack id (devSampleApp, prodSampleApp) to display its template.
Cleaning up
To avoid incurring future charges, delete the resources. Make sure you’re in the cdk-assume-role-credential-plugin/sample-app/.
- Using the AWS CLI credentials for the dev account, run cdk destroy to destroy the resources:
$ cdk destroy dev
- Using the AWS CLI credentials for the prod account, run cdk destroy to destroy the resources:
$ cdk destroy prod
Conclusion
You can simplify deploying stacks to multiple accounts by using a credential process plugin cdk-assume-role-credential-plugin.
This post provided a straightforward example of using the plugin while deploying an AWS CDK app manually.