(codepipeline) cross-region-stack-* causes cdk diff to fail for users who are only allowed to assume the lookup-role #25903
Labels
@aws-cdk/aws-codepipeline
Related to AWS CodePipeline
bug
This issue is a bug.
closed-for-staleness
This issue was automatically closed because it hadn't received any attention in a while.
effort/medium
Medium work item – several days of effort
p1
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Describe the bug
I've been unable to cdk diff my cdk app since I've added another region (to deploy certificates to us-east-1), because I follow AWS best practices of least privileged access, and only have the permission to assume the lookup-role in all the account / region pairs I need to work with. And BootstraplessSynthesizer does not use the lookup-role at all.
Expected Behavior
Current Behavior
Reproduction Steps
cdk bootstrap
-ed A1R1 using privileged credentials.cdk bootstrap
-ed A2R2 using privileged credentials. The stack is not deployed yet.iac-dev-role
) whose only permissions are to allow AssumeRole of the cdk lookup-role for A1R1 and A2R2cdk diff '**'
Possible Solution
cdk bootstrap
could be extended with a--needed
flag to output all the AxRy account+region pairs where the bootstrap still needs to run. That would improve the ergonomics a bit. I realize it's impossible to figure out which role to assume in each account to check for bootstrapping. But there is at least OrganizationAccountAccessRole you could try to assume in each target account if the current credentials allow.Having this would have made it clear that I do NOT need to cdk bootstrap A1R2, because of the BootstraplessSynthesizer
Once I realize I do NOT need to cdk bootstrap A1R2, it becomes clear that it is the bootstrap synthesizer that is to blame, because it did not attempt to assume
cdk-hnb659fds-lookup-role-A1-R1
first.It took me a few hours to figure out all this. And the use of a BootstraplessSynthesizer looks like a code smell. Why is it not OK to just include A1Ry (for each foreign region y that the pipeline intends to deploy to) as needing to be bootstrapped? That would allow you to keep a consistent behaviour everywhere. And you would then be able to focus on how to enable bootstrapping all these AxRy pairs more efficiently. The current behaviour is confusing.
Additional Information/Context
No response
CDK CLI Version
2.83.0 (build 0fd7f2b)
Framework Version
No response
Node.js Version
v16.19.0
OS
Ubuntu 22.04.2 LTS
Language
Typescript
Language Version
typescript@5.1.3
Other information
No response
The text was updated successfully, but these errors were encountered: