ã¯ããã« AWS CDKïŒCloud Development KitïŒã䜿ã£ãŠãç°ãªãAWSã¢ã«ãŠã³ãéïŒã¯ãã¹ã¢ã«ãŠã³ãïŒã§ãªãœãŒã¹ããããã€ããæ¹æ³ã解説ããŸãã 察象èªè
ïŒAWSã¡ãã£ãšãããã¬ãã« æèŠæé ïŒçŽ60ã90å å®è¡ç°å¢ ïŒWindows PowerShell ãã®ãã³ãºãªã³ã§åŠã¹ãããš CDKãããžã§ã¯ãã®åæåãšã¹ã¿ãã¯æ§æ cdk bootstrap ã®ä»çµã¿ãšåœ¹å² ã¯ãã¹ã¢ã«ãŠã³ããããã€ã«å¿
èŠãªIAMèšå® --cloudformation-execution-policies ã«ããæå°æš©éã®å®çŸ cdk destroy ã䜿ã£ããªãœãŒã¹ã®åŸçä»ã ã¢ã«ãŠã³ãæ§æ æ¬ãã³ãºãªã³ã§ã¯2ã€ã®AWSã¢ã«ãŠã³ãã䜿çšããŸãã äºåæºå å¿
èŠãªããŒã« Node.jsïŒv18ä»¥äžæšå¥šïŒ AWS CDK CLIïŒ npm install -g aws-cdk ïŒ AWS CLI v2 PowerShell AWSãããã¡ã€ã«ã®èšå® æ¬ãã³ãºãªã³ã§ã¯ä»¥äžã®2ã€ã®ãããã¡ã€ã«ã䜿çšããŸãã ãããã¡ã€ã«å 察象ã¢ã«ãŠã³ã çšé test-111111111111 ã¢ã«ãŠã³ãAïŒ111111111111ïŒ ãããã€å
ã®æäœ test-A ã¢ã«ãŠã³ãBïŒ222222222222ïŒã®IAMãŠãŒã¶ãŒ CDKãããã€ã®å®è¡å
~/.aws/credentials ããã³ ~/.aws/config ã«åãããã¡ã€ã«ãèšå®ããŠãããŠãã ããã Step 1ïŒCDKãããžã§ã¯ãã®äœæ ãããžã§ã¯ããã£ã¬ã¯ããªã®äœæ mkdir C:\github\cdk-cross mkdir C:\github\cdk - cross cd C:\github\cdk-cross cd C:\github\cdk - cross CDKã¢ããªã®åæå cdk init app --language typescript cdk init app -- language typescript å®è¡ãããšä»¥äžã®ãããªãããžã§ã¯ãæ§æãçæãããŸãã cdk-cross/âââ bin/â âââ cdk-cross.ts # ãšã³ããªãŒãã€ã³ãâââ lib/â âââ cdk-cross-stack.ts # ã¹ã¿ãã¯å®çŸ©âââ cdk.json # CDKèšå®ãã¡ã€ã«âââ package.json cdk-cross/ âââ bin/ â âââ cdk-cross.ts # ãšã³ããªãŒãã€ã³ã âââ lib/ â âââ cdk-cross-stack.ts # ã¹ã¿ãã¯å®çŸ© âââ cdk.json # CDKèšå®ãã¡ã€ã« âââ package.json Note ïŒ git config ã®èšå®ããªãå Žåã Unable to initialize git repository ãšããèŠåãåºãŸããããã³ãºãªã³ã®é²è¡ã«ã¯åœ±é¿ãããŸããã Step 2ïŒã¹ã¿ãã¯ã®å®è£
ãšã³ããªãŒãã€ã³ãã®ç·šé bin/cdk-cross.ts ã以äžã®ããã«ç·šéããŸãããããã€å
ã®ã¢ã«ãŠã³ãIDãšãªãŒãžã§ã³ãæç€ºçã«æå®ããŸãã import * as cdk from 'aws-cdk-lib';import { CdkCrossStack } from '../lib/cdk-cross-stack';const app = new cdk.App();new CdkCrossStack(app, 'CdkCrossStack', { env: { account: "111111111111", <em>// ãããã€å
ã¢ã«ãŠã³ãA</em> region: "ap-northeast-1" }}); import * as cdk from ' aws-cdk-lib ' ; import { CdkCrossStack } from ' ../lib/cdk-cross-stack ' ; const app = new cdk . App () ; new CdkCrossStack ( app , ' CdkCrossStack ' , { env : { account : " 111111111111 " , <em> // ãããã€å
ã¢ã«ãŠã³ãA</em> region : " ap-northeast-1 " } } ) ; ãã€ã³ã ïŒã¯ãã¹ã¢ã«ãŠã³ããããã€ã§ã¯ env ã® account ãš region ã å¿
ãæç€º ããå¿
èŠããããŸããçç¥ãããš CDK ãç°å¢ã解決ã§ãããšã©ãŒã«ãªããŸãã ã¹ã¿ãã¯å®çŸ©ã®ç·šé lib/cdk-cross-stack.ts ã以äžã®ããã«ç·šéããŸããä»åã¯ã·ã³ãã«ãªS3ãã±ããã1ã€äœæããŸãã import * as cdk from 'aws-cdk-lib';import { Bucket } from 'aws-cdk-lib/aws-s3';export class CdkCrossStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new Bucket(this, 'TestBucket', { removalPolicy: cdk.RemovalPolicy.DESTROY, autoDeleteObjects: true }); }} import * as cdk from ' aws-cdk-lib ' ; import { Bucket } from ' aws-cdk-lib/aws-s3 ' ; export class CdkCrossStack extends cdk . Stack { constructor ( scope : Construct , id : string , props ?: cdk . StackProps ) { super ( scope , id , props ) ; new Bucket ( this , ' TestBucket ' , { removalPolicy : cdk . RemovalPolicy . DESTROY , autoDeleteObjects : true } ) ; } } removalPolicy: DESTROY ïŒ cdk destroy å®è¡æã«ãã±ãããåé€ããèšå® autoDeleteObjects: true ïŒãã±ããå
ã«ãªããžã§ã¯ããæ®ã£ãŠããŠãåé€ã§ããããã«ããèšå®ïŒãã³ãºãªã³åãã®èšå®ã§ããæ¬çªç°å¢ã§ã¯æ
éã«æ€èšããŠãã ããïŒ CloudFormationãã³ãã¬ãŒãã®ç¢ºèª å®éã«ãããã€ããåã«ãCDKãçæããCloudFormationãã³ãã¬ãŒãã確èªããŸãããã cdk synth cdk synth S3ãã±ããã»ãã±ããããªã·ãŒã»Lambda颿°ïŒautoDeleteObjectsçšïŒã»IAMããŒã«ãåºåãããã°æåã§ãã Step 3ïŒbootstrapïŒ1åç®ïŒ bootstrapãšã¯ CDKã§ãããã€ãè¡ãã«ã¯ãäºåã«å¯Ÿè±¡ã¢ã«ãŠã³ãã»ãªãŒãžã§ã³ã« CDKToolkit ãšããCloudFormationã¹ã¿ãã¯ãäœæããå¿
èŠããããŸããããã cdk bootstrap ãšåŒã³ãŸãã bootstrapã®ã¡ãªãã ãããã€ã®èªåå ïŒã¢ã»ããïŒLambda ZIPãDockerã€ã¡ãŒãžïŒã®ã¢ããããŒãå
ïŒS3ã»ECRïŒãèªåã§çšæããããããæåã§ãã±ããããªããžããªãäœæããå¿
èŠããªã IAMããŒã«ã®äžå
管ç ïŒãããã€ã«å¿
èŠãªIAMããŒã«ããŸãšããŠäœæã»ç®¡çããããããåå¥ã«ããŒã«ãèšå®ããæéãçãã ã¯ãã¹ã¢ã«ãŠã³ãå¯Ÿå¿ ïŒ --trust ãªãã·ã§ã³ã§ä»ã¢ã«ãŠã³ãããã®ãããã€ãå®å
šã«èš±å¯ã§ãã æš©éã®æå°å ïŒ --cloudformation-execution-policies ã§CloudFormationãäœ¿ãæš©éãçµã蟌ãã åªçæ§ ïŒäœåºŠå®è¡ããŠãåãçµæã«ãªãæ§è³ªïŒïŒãã§ã«bootstrapæžã¿ã®ç°å¢ã«åå®è¡ããŠããå·®åã®ã¿UpdateãšããŠé©çšãããããå®å
šã«åå®è¡ã§ãã bootstrapã¯ã¢ã«ãŠã³ããšãªãŒãžã§ã³ã«çŽã¥ã bootstrap㯠ãAWSã¢ã«ãŠã³ã à ãªãŒãžã§ã³ãã®çµã¿åããããšã«1åå®è¡ ããå¿
èŠããããŸãã ã¢ã«ãŠã³ãAã® ap-northeast-1 ã«ããã〠â aws://111111111111/ap-northeast-1 ã«bootstrap ã¢ã«ãŠã³ãAã® us-east-1 ã«ããããã€ããã â aws://111111111111/us-east-1 ã« å¥é bootstrap ã¢ã«ãŠã³ãBã® ap-northeast-1 ã«ããããã€ããã â aws://222222222222/ap-northeast-1 ã« å¥é bootstrap åãã¢ã«ãŠã³ãã§ã ãªãŒãžã§ã³ãç°ãªãã°å¥ã®bootstrapãå¿
èŠ ã§ãã bootstrapã§äœæããããªãœãŒã¹ bootstrapã«ãã£ãŠä»¥äžã®ãªãœãŒã¹ãäœæãããŸãã S3ãã±ãã ïŒStagingBucketïŒïŒãããã€çšã¢ã»ããã®ä¿åå Žæ ECRãªããžã㪠ïŒDockerã€ã¡ãŒãžã®ã¢ã»ããä¿åå Žæ IAMããŒã«çŸ€ ïŒCDKããããã€æäœãè¡ãããã®åçš®ããŒã« DeploymentActionRole ïŒãããã€æäœãæ
ãããŒã« CloudFormationExecutionRole ïŒCloudFormationããªãœãŒã¹ãäœæããéã«äœ¿ãããŒã« FilePublishingRole / ImagePublishingRole ïŒã¢ã»ãããS3/ECRã«ã¢ããããŒãããããŒã« LookupRole ïŒã³ã³ããã¹ãæ
å ±ã®åç
§ã«äœ¿ãããŒã« çµç¹ã®IAMããªã·ãŒå¶éãããå Žå çµç¹ïŒAWS OrganizationsïŒã®SCPïŒService Control PolicyïŒãã»ãã¥ãªãã£ããªã·ãŒã«ãã£ãŠã åçš®ãªãœãŒã¹ã®äœæãå¶éãããŠããç°å¢ ã§ã¯ãbootstrapããã®ãŸãŸå®è¡ã§ããªãã±ãŒã¹ããããŸãã ãã®å Žåã¯ä»¥äžã®ããããã®å¯Ÿå¿ãåããŸãã æ¢åã®bootstrapæžã¿ç°å¢ã䜿ã ïŒçµç¹ã®ç®¡çè
ããã§ã«CDKToolkitãã»ããã¢ããããŠããå Žåã¯ããã®ãŸãŸå©çšããïŒè¿œå ã®bootstrapã¯äžèŠïŒ å¥éããŒã«ãæåäœæããŠå©çšãã ïŒã»ãã¥ãªãã£ããŒã ãæ¿èªããæå°æš©éã®IAMããŒã«ãäºåã«äœæãã --role-arn ãªãã·ã§ã³ã§CDKã«æå®ãã cdk deploy ` --role-arn arn:aws:iam::111111111111:role/MyCustomDeployRole ` --profile test-111111111111 cdk deploy ` -- role - arn arn:aws:iam:: 111111111111 :role / MyCustomDeployRole ` -- profile test-111111111111 ã¢ã«ãŠã³ãAã«bootstrapãå®è¡ïŒ1åç®ïŒ 確èªãã€ã³ã ïŒãããã€å
ã¢ã«ãŠã³ãã«ãã§ã« CDKToolkit ãšããååã®CloudFormationã¹ã¿ãã¯ãååšããå Žåã¯ãbootstrap㯠å®è¡æžã¿ ã§ãããã®å Žåã¯æ¬Stepãã¹ãããããŠãã ããã ãŸãã¯ã·ã³ãã«ã«ã¢ã«ãŠã³ãAãžbootstrapããŸãã cdk bootstrap aws://111111111111/ap-northeast-1 ` --profile test-111111111111 cdk bootstrap aws: // 111111111111 / ap - northeast - 1 ` -- profile test-111111111111 æåãããš â
Environment aws://111111111111/ap-northeast-1 bootstrapped. ãšè¡šç€ºãããŸãã Step 4ïŒã¢ã«ãŠã³ãAãžã®ãããã€ïŒåäžã¢ã«ãŠã³ãïŒ ãŸããã¢ã«ãŠã³ãAã®ãããã¡ã€ã«ã§çŽæ¥ãããã€ã§ããããšã確èªããŸãã cdk deploy --profile test-111111111111 cdk deploy -- profile test-111111111111 IAMã®å€æŽå
容ã衚瀺ãããã®ã§ç¢ºèªãã y ãå
¥åããŸãã Do you wish to deploy these changes (y/n)? y Do you wish to deploy these changes ( y / n ) ? y â
CdkCrossStack ãšè¡šç€ºãããã°ãããã€æåã§ãã Step 5ïŒã¯ãã¹ã¢ã«ãŠã³ããããã€ã®è©Šè¡ïŒå€±æïŒ 次ã«ãã¢ã«ãŠã³ãBïŒ test-A ãããã¡ã€ã«ïŒãããããã€ã詊ã¿ãŸãã cdk deploy --profile test-A cdk deploy -- profile test-A 以äžã®ãšã©ãŒãçºçããŸãã Could not assume role in target account using current credentials(which are for account 222222222222)User: arn:aws:iam::222222222222:user/test1 is not authorized to perform:sts:AssumeRole on resource:arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1 Could not assume role in target account using current credentials ( which are for account 222222222222 ) User: arn:aws:iam:: 222222222222 :user / test1 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:: 111111111111 :role / cdk - hnb659fds - deploy-role - 111111111111 - ap - northeast - 1 Note ïŒãšã©ãŒã¡ãã»ãŒãžäžã® cdk-hnb659fds ã¯CDK bootstrapãçæããããã©ã«ãã® qualifierïŒèå¥åïŒ ã§ãã cdk bootstrap --qualifier <ä»»æã®å€> ã§å€æŽå¯èœãªãããçµç¹ã®èšå®ã«ãã£ãŠã¯ç°ãªãæååã«ãªãå ŽåããããŸãã æ¬ãã³ãºãªã³ã§ã¯ããã©ã«ãå€ïŒ hnb659fds ïŒã䜿çšããŸãã ãªã倱æããã®ã CDKã®ã¯ãã¹ã¢ã«ãŠã³ããããã€ã§ã¯ãæäœå
ã¢ã«ãŠã³ãBã®ãŠãŒã¶ãŒãããããã€å
ã¢ã«ãŠã³ãAã® DeploymentActionRole ã AssumeRoleïŒäžæçã«åŒãåããïŒ ããããšã§ãããã€ãè¡ããŸãã ãããçŸæç¹ã§ã¯ã ã¢ã«ãŠã³ãAã® DeploymentActionRole ãã¢ã«ãŠã³ãBããã®AssumeRoleã èš±å¯ããŠããªã ã¢ã«ãŠã³ãBã® test1 ãŠãŒã¶ãŒã sts:AssumeRole ãå®è¡ãã æš©éãæã£ãŠããªã ãã®2ã€ã解決ããå¿
èŠããããŸãã Step 6ïŒæå°æš©éããªã·ãŒã®äœæ --cloudformation-execution-policies ãšã¯ cdk bootstrap ã® --cloudformation-execution-policies ãªãã·ã§ã³ã¯ã CloudFormationããªãœãŒã¹ãäœæã»æŽæ°ã»åé€ããéã«äœ¿çšããIAMããªã·ãŒ ãæå®ãããã®ã§ãã ããã©ã«ãïŒAdministratorAccessïŒã®åé¡ç¹ æå®ããªãå Žå㯠AdministratorAccess ïŒå
šæš©éïŒã䜿ãããŸããããã«ã¯ä»¥äžã®ãªã¹ã¯ããããŸãã CDKã¹ã¿ãã¯ã®ã³ãŒãã«èª€ãããã£ãå Žåã æå³ããªããªãœãŒã¹ãåé€ã»å€æŽ ããŠããŸãå¯èœæ§ããã æå°æš©éã®ååïŒPrinciple of Least PrivilegeïŒã«åãã çµç¹ã®ã»ãã¥ãªãã£ããªã·ãŒã«éåããã±ãŒã¹ããã æå°æš©éããªã·ãŒã䜿ãã¹ãçç± CloudFormationãæäœã§ãããªãœãŒã¹ã ã¹ã¿ãã¯ã§å¿
èŠãªãã®ã ã ã«éå®ã§ãã äžãäžã®ãã¹ãäžæ£ã¢ã¯ã»ã¹æã® 被害ç¯å²ãæå°å ã§ãã çµç¹ã®ã³ã³ãã©ã€ã¢ã³ã¹èŠä»¶ãæºããããããªã ä»åã®ã¹ã¿ãã¯ã§å¿
èŠãªæš©éã¯ä»¥äžã®3ã€ã§ãã S3 ïŒãã±ããã®äœæã»åé€ã»ããªã·ãŒèšå® IAM ïŒLambdaå®è¡ããŒã«ã®äœæã»åé€ã»ããªã·ãŒã¢ã¿ãã Lambda ïŒautoDeleteObjectsçšLambda颿°ã®äœæã»åé€ ããªã·ãŒJSONã®äœæ @"{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:*"], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["lambda:*"], "Resource": "*" } ]}"@ | Set-Content cdk-minimal-policy.json @ " { " Version " : " 2012-10-17 " , " Statement " : [ { " Effect " : " Allow " , " Action " : [ " s 3 :* " ], " Resource " : " * " }, { " Effect " : " Allow " , " Action " : [ " iam:PassRole " , " iam:CreateRole " , " iam:DeleteRole " , " iam:AttachRolePolicy " , " iam:DetachRolePolicy " ], " Resource " : " * " }, { " Effect " : " Allow " , " Action " : [ " lambda:* " ], " Resource " : " * " } ] } " @ | Set-Content cdk-minimal-policy.json ããªã·ãŒãã¢ã«ãŠã³ãAã«äœæ aws iam create-policy ` --policy-name CdkMinimalPolicy ` --policy-document file://cdk-minimal-policy.json ` --profile test-111111111111 aws iam create - policy ` -- policy - name CdkMinimalPolicy ` -- policy - document file: // cdk - minimal - policy.json ` -- profile test-111111111111 äœæãããããªã·ãŒã®ARNïŒ arn:aws:iam::111111111111:policy/CdkMinimalPolicy ïŒãæ§ããŠãããŸãã Step 7ïŒbootstrapïŒ2åç®ïŒâã¯ãã¹ã¢ã«ãŠã³ãå¯Ÿå¿ ãªã2åbootstrapããã®ã 1åç®ã®bootstrapã¯ãCDKToolkitãäœæãããããã®æäœéã®å®è¡ã§ããããã®æç¹ã§ã¯ïŒ --trust æªæå® â ã¢ã«ãŠã³ãBããã®AssumeRoleã èš±å¯ãããŠããªã --cloudformation-execution-policies æªæå® â AdministratorAccess ã䜿ãããŠãã 2åç®ã®bootstrapã§ã¯ãããããæ£ããèšå®ãçŽããŸããCDKToolkitã¹ã¿ãã¯ã¯ UpdateãšããŠé©çš ããããããæ¢åãªãœãŒã¹ãåé€ããã«èšå®ã倿Žã§ããŸãã Tips ïŒæåããã¯ãã¹ã¢ã«ãŠã³ããããã€ãæ³å®ããŠããå Žåã¯ã1åç®ã®bootstrapãã --trust ãš --cloudformation-execution-policies ãæå®ããããšã§ã2åã«åããå¿
èŠã¯ãããŸããã ã¯ãã¹ã¢ã«ãŠã³ã察å¿ã®bootstrapãå®è¡ cdk bootstrap aws://111111111111/ap-northeast-1 ` --profile test-111111111111 ` --trust 222222222222 ` --cloudformation-execution-policies arn:aws:iam::111111111111:policy/CdkMinimalPolicy cdk bootstrap aws: // 111111111111 / ap - northeast - 1 ` -- profile test-111111111111 ` -- trust 222222222222 ` -- cloudformation - execution - policies arn:aws:iam:: 111111111111 :policy / CdkMinimalPolicy åãªãã·ã§ã³ã®æå³ïŒ ãªãã·ã§ã³ æå³ --trust 222222222222 ã¢ã«ãŠã³ãBïŒ222222222222ïŒããã®AssumeRoleãèš±å¯ãã --cloudformation-execution-policies CloudFormationã䜿ãIAMããªã·ãŒãAdministratorAccessããæå°æš©éã«å€æŽãã â
Environment aws://111111111111/ap-northeast-1 bootstrapped. ãšè¡šç€ºãããã°æåã§ãã è£è¶³ ïŒbootstrapåå®è¡ã«ãã£ãŠ CloudFormationExecutionRole ã«çŽã¥ãããªã·ãŒã AdministratorAccess ãã CdkMinimalPolicy ã«åãæ¿ãããŸãã ãã ããStep 4ã§ãããã€æžã¿ã® CdkCrossStack ã«å¯ŸããŠæ°ããªã·ãŒãé©çšãããã®ã¯ã 次å cdk deploy ãå®è¡ããã¿ã€ãã³ã° ã§ãã æ¢åã¹ã¿ãã¯ã®ãªãœãŒã¹èªäœã¯ãã®ãŸãŸç¶æãããŸãã DeploymentActionRoleã®ä¿¡é Œããªã·ãŒãç¢ºèª bootstrapåŸã DeploymentActionRole ã®ä¿¡é Œããªã·ãŒã«ã¢ã«ãŠã³ãBã远å ãããŠããããšã確èªããŸãã aws iam get-role ` --role-name cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1 ` --query "Role.AssumeRolePolicyDocument" ` --profile test-111111111111 ` --no-cli-pager aws iam get-role ` -- role - name cdk - hnb659fds - deploy-role - 111111111111 - ap - northeast - 1 ` -- query " Role.AssumeRolePolicyDocument " ` -- profile test-111111111111 ` -- no - cli - pager ã¬ã¹ãã³ã¹ã«ã¢ã«ãŠã³ãBïŒ arn:aws:iam::222222222222:root ïŒã® sts:AssumeRole ãå«ãŸããŠããã°æ£ããèšå®ãããŠããŸãã Step 8ïŒã¢ã«ãŠã³ãBã®IAMãŠãŒã¶ãŒã«AssumeRoleæš©éãä»äž ã¢ã«ãŠã³ãAã®ããŒã«ãåŒãåããããããã«ãªããŸããããã¢ã«ãŠã³ãBã® test1 ãŠãŒã¶ãŒèªèº«ã«ã sts:AssumeRole ã®æš©éãå¿
èŠã§ãã ã€ã³ã©ã€ã³ããªã·ãŒã®JSONãäœæ @"{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1" } ]}"@ | Set-Content assume-role.json @ " { " Version " : " 2012-10-17 " , " Statement " : [ { " Effect " : " Allow " , " Action " : " sts:AssumeRole " , " Resource " : " arn:aws:iam:: 111111111111 :role/cdk-hnb 659 fds-deploy-role -111111111111 -ap-northeast -1 " } ] } " @ | Set-Content assume-role.json test1ãŠãŒã¶ãŒã«ããªã·ãŒãã¢ã¿ãã aws iam put-user-policy ` --user-name test1 ` --policy-name AllowAssumeCdkDeployRole ` --policy-document file://assume-role.json ` --profile test-A aws iam put - user - policy ` -- user - name test1 ` -- policy - name AllowAssumeCdkDeployRole ` -- policy - document file: // assume - role.json ` -- profile test-A Step 9ïŒAssumeRoleã®åäœç¢ºèª ãããã€åã«ãå®éã«AssumeRoleãæåãããã確èªããŸãã aws sts assume-role ` --role-arn arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1 ` --role-session-name test ` --profile test-A aws sts assume - role ` -- role - arn arn:aws:iam:: 111111111111 :role / cdk - hnb659fds - deploy-role - 111111111111 - ap - northeast - 1 ` -- role - session - name test ` -- profile test-A 以äžã®ããã«äžæã¯ã¬ãã³ã·ã£ã«ãè¿ãã°æåã§ãã { "Credentials": { "AccessKeyId": "ASIAXXXXXXXXXXXXXXXX", "SecretAccessKey": "****", "SessionToken": "****", "Expiration": "2026-03-24T19:05:06+00:00" }, "AssumedRoleUser": { "AssumedRoleId": "AROAXXXXXXXXXXXXXXXXX:test", "Arn": "arn:aws:sts::111111111111:assumed-role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1/test" }} { " Credentials " : { " AccessKeyId " : " ASIAXXXXXXXXXXXXXXXX " , " SecretAccessKey " : " **** " , " SessionToken " : " **** " , " Expiration " : " 2026-03-24T19:05:06+00:00 " }, " AssumedRoleUser " : { " AssumedRoleId " : " AROAXXXXXXXXXXXXXXXXX:test " , " Arn " : " arn:aws:sts::111111111111:assumed-role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1/test " } } Step 10ïŒã¯ãã¹ã¢ã«ãŠã³ããããã€ã®å®è¡ å床ã¢ã«ãŠã³ãBããã¢ã«ãŠã³ãAãžã®ã¯ãã¹ã¢ã«ãŠã³ããããã€ãå®è¡ããŸãã cdk deploy --profile test-A cdk deploy -- profile test-A â
CdkCrossStack (no changes) ãšè¡šç€ºãããã°æåã§ããïŒStep 4ã§æ¢ã«ãããã€æžã¿ã®ãã倿Žãªããšè¡šç€ºãããŸãïŒ Step 11ïŒåŸçä»ã [!WARNING] ãã®æé 㯠æ¬ãã³ãºãªã³çšã«äœæããæ€èšŒç°å¢ãåæ ãšããŠããŸãã æ¥åã·ã¹ãã ãä»ã® CDK ãããžã§ã¯ãã§ãåäžã¢ã«ãŠã³ãã»ãªãŒãžã§ã³ã§ CDK ãå©çšããŠããå Žåã以äžã®æäœãå®è¡ãããš ä»ã®ã¹ã¿ãã¯ããããã€åŠçã«åœ±é¿ãäžããå¯èœæ§ ããããŸãã cdk destroy ã«ãããªãœãŒã¹åé€ CDKToolkit ã¹ã¿ãã¯ïŒbootstrap ç°å¢ïŒã®åé€ IAM ãŠãŒã¶ãŒïŒããªã·ãŒïŒã¢ã¯ã»ã¹ããŒã®åé€ æ€èšŒç°å¢ä»¥å€ã§å®æœããå Žåã¯ã åé€å¯Ÿè±¡ãæ¬ãã³ãºãªã³ã§äœæãããã®ã«éå®ãããŠããããš ã äºåã«åå確èªããããã§å®è¡ããŠãã ããã ã¹ã¿ãã¯ã®åé€ ã¯ãã¹ã¢ã«ãŠã³ãæäœã®ç¢ºèªãã§ããããäœæãããªãœãŒã¹ãåé€ããŸãã cdk destroy --profile test-A cdk destroy -- profile test-A Are you sure you want to delete: CdkCrossStack (y/n)? ã« y ãå
¥åããŸãã â
CdkCrossStack: destroyed ãšè¡šç€ºãããã°åé€å®äºã§ãã ã¹ã¿ãã¯ãåé€ãããããšãç¢ºèª aws cloudformation describe-stacks ` --stack-name CdkCrossStack ` --profile test-111111111111 aws cloudformation describe - stacks ` -- stack - name CdkCrossStack ` -- profile test-111111111111 Stack with id CdkCrossStack does not exist ãšãããšã©ãŒãè¿ãã°æ£ããåé€ãããŠããŸãã CDKToolkitã¹ã¿ãã¯ã®åé€ aws cloudformation delete-stack ` --stack-name CDKToolkit ` --profile test-111111111111 aws cloudformation delete - stack ` -- stack - name CDKToolkit ` -- profile test-111111111111 test1ãŠãŒã¶ãŒã®ã€ã³ã©ã€ã³ããªã·ãŒãåé€ aws iam delete-user-policy ` --user-name test1 ` --policy-name AllowAssumeCdkDeployRole ` --profile test-A aws iam delete - user - policy ` -- user - name test1 ` -- policy - name AllowAssumeCdkDeployRole ` -- profile test-A test1ãŠãŒã¶ãŒã®ã¢ã¯ã»ã¹ããŒãåé€ ãŸãããŒIDã確èªããŸãã aws iam list-access-keys --user-name test1 --profile test-A aws iam list - access - keys -- user - name test1 -- profile test-A 確èªããããŒIDãæå®ããŠåé€ããŸãã aws iam delete-access-key ` --user-name test1 ` --access-key-id AKIAXXXXXXXXXXXXXXXX ` --profile test-A aws iam delete - access - key ` -- user - name test1 ` -- access - key - id AKIAXXXXXXXXXXXXXXXX ` -- profile test-A AWSãããã¡ã€ã«ã®åé€ ãšãã£ã¿ã§ test-111111111111 ããã³ test-A ã®ã»ã¯ã·ã§ã³ãåé€ããŠä¿åããŸãã åé€åŸã®ãããã¡ã€ã«ç¢ºèª aws configure list-profiles aws configure list - profiles åé€ãããããã¡ã€ã«ã衚瀺ãããªããã°å®äºã§ãã ãŸãšã cdk bootstrap 㯠ã¢ã«ãŠã³ããšãªãŒãžã§ã³ã®çµã¿åããããš ã«å®è¡ãå¿
èŠ ãã§ã«bootstrapæžã¿ã®ç°å¢ã§ã¯ åå®è¡äžèŠ ãæ¢åã®CDKToolkitããã®ãŸãŸå©çšãã çµç¹ã®IAMããªã·ãŒå¶éãããå Žåã¯ã å¥éããŒã«ãæåäœæ ã㊠--role-arn ã§æå®ãã cdk bootstrap --trust ã§ãããã€å
ã¢ã«ãŠã³ããæäœå
ã¢ã«ãŠã³ãã ä¿¡é Œãã èšå®ãè¡ã --cloudformation-execution-policies ã§ AdministratorAccess ãé¿ãæå°æš©é ãäœ¿ã æäœå
ã¢ã«ãŠã³ãã®IAMãŠãŒã¶ãŒã«ã sts:AssumeRole æš©é ãå¿
èŠ bin/*.ts ã® env.account 㯠å¿
ãæç€ºçã«æå® ãã åèè³æ AWS CDK ããŒãã¹ãã©ãã AWS CDK ã§äœ¿çšããç°å¢ãããŒãã¹ãã©ãããã