(app-staging-synthesizer-alpha): Existing CDK diff IAM policies do not work with AppStagingSynthesizer

[blimmer]

Describe the bug

I deploy my AWS CDK applications via GitHub actions. When a pull request is opened, I assume an IAM role (via OIDC) to run the cdk diff and post it back to the PR for author review.

The diff role that works with the DefaultStackSynthesizer looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*",
                "arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
            ],
            "Effect": "Allow",
            "Sid": "AllowAssumeCdkDiffRoles"
        }
    ]
}

With the DefaultStackSynthesizer, this works great.

However, this role does not work with AppStagingSynthesizer. The failure I get is:

GitHubActionsCdkDiff is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-2:REDACTED:stack/StagingStack-MYAPPID/f88beee0-b6ff-11ee-88b6-02de35b05309 because no identity-based policy allows the cloudformation:DescribeStacks action

Through trial and error, the final statement I needed to add looked like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:PassRole",
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*",
                "arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
            ],
            "Effect": "Allow",
            "Sid": "AllowAssumeCdkDiffRoles"
        },
        {
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate"
            ],
            "Resource": "arn:aws:cloudformation:*:*:stack/StagingStack-MYAPPID/*",
            "Effect": "Allow",
            "Sid": "AllowDiffingAppStagingStacks"
        }
    ]
}

Expected Behavior

From the documentation, it seems like the existing bootstrap roles should be used, just as with the default synthesizer.

The Roles from the default bootstrap stack are still used (though their use can be turned off).

I might be confused by this documentation but, the way I read it, makes me think my existing roles should still work.

Current Behavior

The cdk diff fails with an IAM error until I grant additional permissions to my OIDC role.

GitHubActionsCdkDiff is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-2:REDACTED:stack/StagingStack-MYAPPID/f88beee0-b6ff-11ee-88b6-02de35b05309 because no identity-based policy allows the cloudformation:DescribeStacks action

Reproduction Steps

1. Create an app with the AppStagingSynthesizer like this:

#!/usr/bin/env node
import "source-map-support/register";
import { MyStack } from "../lib/MyStack";
import { App, Environment, Tags } from "aws-cdk-lib";
import { AppStagingSynthesizer } from "@aws-cdk/app-staging-synthesizer-alpha";

const appId = "MYAPPID";
const app = new App({
  defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
    appId,
  }),
});
const env: Environment = {
  account: process.env.CDK_DEFAULT_ACCOUNT,
  region: "us-east-2",
};
Tags.of(app).add("service", appId);

new MyStack(app, "MyStack", {
  env,
});

2. Create a "diff" role, as before:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*",
                "arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
            ],
            "Effect": "Allow",
            "Sid": "AllowAssumeCdkDiffRoles"
        }
    ]
}

3. Assume this role locally.
4. Run cdk diff. You'll receive the access denied error.

Possible Solution

Ideally, the same bootstrap roles could be used whether you're using the default synthesizer or the AppStagingSynthesizer.

Additional Information/Context

No response

CDK CLI Version

2.122.0 (build 7e77e02)

Framework Version

No response

Node.js Version

v20.11.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

Bootstrap version is v18

[blimmer]

I've also been seeing this with standard synthesizers since the --change-set flag was introduced with #28336.

I wonder - instead of requiring permissions on the root role, should:

1. One of the existing roles (e.g., cdk-hnb659fds-lookup-role) be updated to be allowed to create these changesets?
2. A new CDK role be introduced (e.g., cdk-hnb659fds-diff-role) be created to work with the changesets?

The new changeset behavior feels a bit different since it requires the root role to have CFN permissions. Previously, the root role only needed to be able to assume cdk roles. cc @comcalvi who introduced this new behavior for their thoughts.

[blimmer]

I opened up this issue that might supercede this one: #29767 . It suggests updating the lookup-role to allow creating diff-only changesets.