Deploying multiple stages to different accounts

[christophgysin]

I have a simple application that I would like to deploy in two stages to a dev and a prod account.

The generated workflow creates asset publishing jobs that try to deploy the shared assets to two different accounts, e.g.:

cdk.out/publish-Assets-FileAsset2-step.sh

set -ex
npx cdk-assets --path "cdk.out/assembly-Dev/DevSampleComponent408C8649.assets.json" --verbose publish "b46c69876cded265976e982f147d1783eeb5ba986b2668164e3f8c65113601ed:1234567890-eu-central-1"
npx cdk-assets --path "cdk.out/assembly-Prod/ProdSampleComponent911303F5.assets.json" --verbose publish "b46c69876cded265976e982f147d1783eeb5ba986b2668164e3f8c65113601ed:0987654321-eu-central-1"

Currently, the credentials either have permission to publish to one or the other account, but not both.

Is this a valid use case? How is this supposed to work?

[kichik]

@christophgysin were you able to find a solution for this? I have the same issue where I try to deploy to multiple accounts. Asset publishing fails with:

error  : [100%] fail: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
Failure: CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

Even though the role should have permission to assume the file-publishing role in the other accounts. I looked into the source code of cdk-assets a bit and couldn't find where it tries to assume that role. Maybe that's the issue? In fact for me it won't even publish assets to the same account where the role is from, suggesting it truly doesn't try to assume the other role.

It actually works fine for me. I messed up the role assumption permissions.

[braska]

According to best practices of organizing environments, you suppose to have "Deployment" account.

You can read more about it here: https://docs.aws.amazon.com/pdfs/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf

So GitHubActionRole suppose to be created in "Deployment" account. Your "Deployment" account should be trusted by workload accounts. It is actually part of bootstrap process. Here is an example how you can make workload account trust your deployment account: pnpm cdk bootstrap --trust {{deployment account ID goes here}} --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess

So asset publishing jobs (in GitHub workflow) will assume role in "Deployment" account. And cdk-assets (which is used internally) will try to find and assume file-publishing role in workload account on behalf of GitHubActionRole (in "Deployment" account). It will manage to do so, because you allowed that during bootstraping.