exanubes
Q&A

AWS CDK: Getting Started

AWS CDK stands for Cloud Development Kit and is an OSS framework for building/defining application architecture using popular programming languages

Rather than trying to figure out the proprietary syntax in .json or .yaml files, you can use TypeScript, Python or Java with access to constructs that configure cloud resources with very good default values.

Setup

Setting up aws-cdk is quite straightforward, I myself am using typescript so, using the node package manager, we can install it globally with:

npm i -g aws-cdk

CDK deploys infrastructure directly to the cloud and provisions resources via CloudFormation. In order to do that we have to be logged in, I myself use aws-vault for this.

You can install aws-vault with homebrew:

brew install --cask aws-vault

Getting AWS Credentials

To configure an aws-vault profile we need to get access_key and access_secret from AWS Console.

Go to IAM dashboard and either create a new user or click on an existing one.

Inside user details go to Security credentials tab and click on Create access key. You should see the popup below. You won’t be able to see it again so it’s a good idea to download the .csv file.

Configure aws-vault profile

Use the following command to configure aws-vault profile, you will need the Access Key ID and Secret Access Key

aws-vault add your-profile-name

If you’d like to set some defaults for your profile you can open up ~/.aws/config in your editor of choice and add

[profile your-profile-name]
region=us-east-1

You can read more on possible options for this config file here

Usage

In order to check if everything works well you can enter

aws-vault exec your-profile-name --

And then:

aws sts get-caller-identity

This command should return a json object with your IAM user details

Permissions

While working with aws-cdk there will definitely be a time where you want to deploy a stack that Cloud Formation needs additional permissions for. You can simply create a role for Cloud Formation and give it necessary permissions. I usually start with wide permissions e.g full access and then narrow it down when my infrastructure is ready.

In order to use the role during deployment I’d recommend adding custom scripts to package.json

{
    "scripts": {
        "cdk:deploy": "cdk deploy --all --role-arn=arn:aws:iam::$(aws sts get-caller-identity --query 'Account' --output text):role/CdkCloudformationRole",
        "cdk:destroy": "cdk destroy --all --role-arn=arn:aws:iam::$(aws sts get-caller-identity --query 'Account' --output text):role/CdkCloudformationRole"
    }
}

This command will assign the appropriate role arn by building it from a call to the sts service in order to get the account id number of the currently used aws account. CdkCloudformationRole is the name of the role and it is discretionary.

Worth Remembering

  1. aws-vault sessions are only 1-hour long by default, you can change it with a --duration flag
  2. all aws-cdk modules have to be the same version, otherwise it will show errors in the IDE e.g if aws-cdk is version 1.102.0, all other modules should also be 1.102.0