@@ -1379,6 +1379,31 @@ After turning on `privilegedMode: true`, you will need to do a one-time manual c
13791379pipeline to get it going again (as with a broken 'synth' the pipeline will not be able to self
13801380update to the right state).
13811381
1382+ ### Not authorized to perform sts: AssumeRole on arn:aws:iam::\* : role /\* -lookup-role-\*
1383+
1384+ You may get an error like the following in the ** Synth** step:
1385+
1386+ ``` text
1387+ Could not assume role in target account using current credentials (which are for account 111111111111). User:
1388+ arn:aws:sts::111111111111:assumed-role/PipelineStack-PipelineBuildSynthCdkBuildProje-..../AWSCodeBuild-....
1389+ is not authorized to perform: sts:AssumeRole on resource:
1390+ arn:aws:iam::222222222222:role/cdk-hnb659fds-lookup-role-222222222222-us-east-1.
1391+ Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with
1392+ the right '--trust', using the latest version of the CDK CLI.
1393+ ```
1394+
1395+ This is a sign that the CLI is trying to do Context Lookups during the ** Synth** step, which are failing
1396+ because it cannot assume the right role. We recommend you don't rely on Context Lookups in the pipeline at
1397+ all, and commit a file called ` cdk.context.json ` with the right lookup values in it to source control.
1398+
1399+ If you do want to do lookups in the pipeline, the cause is one of the following:
1400+
1401+ * The target environment has not been bootstrapped; OR
1402+ * The target environment has been bootstrapped without the right ` --trust ` relationship; OR
1403+ * The CodeBuild execution role does not have permissions to call ` sts:AssumeRole ` .
1404+
1405+ See the section called ** Context Lookups** for more information on using this feature.
1406+
13821407### IAM policies: Cannot exceed quota for PoliciesPerRole / Maximum policy size exceeded
13831408
13841409This happens as a result of having a lot of targets in the Pipeline: the IAM policies that
0 commit comments