cli: Clarify active CDK role in verbose log output #26701
Labels
documentation
This is a problem with documentation.
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p1
package/tools
Related to AWS CDK Tools or CLI
Describe the feature
Clarify which CDK IAM role(s) are active at a point in time.
Use Case
Given an error console log such as:
Now spend a few days of wondering what was going on? Is it a problem with S3? Permissions (IAM)? Er let's say yes, so then who or what needs to be given IAM access? Is it my IAM Identity Center role? A custom role someone else needed? My CDK? Oh the CDK has roles (plural!), that's news to me, hope it's not that. One of the roles above it? So the closest in the
cdk deploy -v
output was a complete dead end:The ones further up weren't particularly helpful:
It turned out by magic there was a completely missing piece of the puzzle we needed to fix this, that the CDK presumably has - which cdk role was used.
In fact in that verbose output I saw no suggestion it was a permissions (IAM) problem with the
...cdk-...-cfn-exec-role...)
at all.Around this point, what needed to be done became straightforward, attach an IAM policy, a bit like this one, to the
AWS CloudFormation execution role
(...cdk-...-cfn-exec-role...
) which needed to be allowed access to S3:Proposed Solution
A way that might save those few days of debugging for others in future, could be to add more role logs, perhaps something like:
a) Perhaps just before the
MyApiV2Stack: deploying... [1/1]
, add (or something similar like using already assumed role, hopefully one gets the idea):b) Make it clearer when roles are out of scope and so should no longer be used (perhaps a
finally
block of atry...finally
statement), with logs like:Hope that's helpful and possible.
Other Information
Presumably adding new logs is easier than modifying existing logs (not sure if for error logs that's enough to be breaking, aside at AMZN scale suggests to me it'd be yes).
Acknowledgements
CDK version used
2.90.0
Environment details (OS name and version, etc.)
Ubuntu 22.04.3 LTS (jammy)
The text was updated successfully, but these errors were encountered: