1

I have the following ~/.aws/config and try to run ENV=dev cdk synth --profile test --all.

Inside CDK my code then tries to determine the profile's account number. Reading the environment variable CDK_DEFAULT_ACCOUNT. Sadly, this is returning 001xx, and not 200xx.

It seems it only detects the IAM user, and does not go down the rabbit hole using the assumed role. How can I retrieve the final role's target account number inside CDK?

[default]
region = eu-central-1

[profile test]
role_arn = arn:aws:iam::200xx:role/RoleInTargetAccount
source_profile = dev_prof
mfa_serial = arn:aws:iam::001xx:mfa/lony
lony
  • 6,733
  • 11
  • 60
  • 92
  • Did you mean to use the dev_prof profile, or the test profile, when invoking cdk? – jarmod Jul 28 '21 at 16:51
  • As shown above, I use the dev_prof - this way it assumes the role. – lony Jul 28 '21 at 16:56
  • Run: `aws sts get-caller-identity --profile test`. It will use the `dev_prof` credentials to assume the `arn:aws:iam::200xx:role/RoleInTargetAccount` role. – jarmod Jul 28 '21 at 17:06
  • I need the ID inside CDK, but your point is right - I could add SDK code to make a lookup ... so no way to do this in CDK then? @jarmod did you already try this in CDK or did you just use the CLI command so far? – lony Jul 29 '21 at 07:33
  • 1
    I'm just explaining how the ~/.aws/config file works for profiles that assumes roles. – jarmod Jul 29 '21 at 13:19

0 Answers0