AWS SSO for CDK deploy

You may need to setup AWS SSO for your account. Amazon provides this setup guide: Setting up single sign-on (SSO) with IAM Identity Center

Setup a Permission set to allow deploying

• Navigate to Permission sets
• Create permission set - name: Deployer
• Inline Policy:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "assumerole",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/cdk-readOnlyRole",
                "arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
                "arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
                "arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
            ]
        }
    ]
  }
  

By default, the hnb659fds qualifier is added to roles created by cdk bootstrap (source).

Finding your SSO url

1. Open your AWS console IAM
2. Navigate to IAM Identity Center on left side
3. Retrieve your AWS access portal URL (ex: https://smithwick.awsapps.com/start)

Installing AWS CLI

I prefer to use homebrew: brew install awscli or see My Brewfile

Configure AWS SSO

It is helpful to add your SSO information into your aws cli configuration (~/.aws/config). See the AWS documentation on aws configure sso.

aws configure sso

Example where I setup an admin profile:

SSO session name (Recommended):
SSO start URL [None]: https://smithwick.awsapps.com/start
SSO region [None]: us-west-2
SSO registration scopes [sso:account:access]:

Using the role name "AdministratorAccess"
CLI default client Region [None]: us-west-2
CLI default output format [None]: JSON
CLI profile name [AdministratorAccess-###]: admin

Follow-up example where I setup a deployer profile:

Using the role name "Deployer"
CLI default client Region [None]: us-west-2
CLI default output format [None]: JSON
CLI profile name [Deployer-###]: deployer

This will allow you to specify your SSO attached account(s) using the specified profile. aws s3 ls --profile admin

For compatability with some cli tools you may want to export your profile to environment variables: eval $(aws configure export-credentials --profile deployer --format env)

This will export

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

To login to your sso profile: aws sso login --profile deployer