❗ NOTICE: cdk diff tries to assume 'deploy' role and fails to authorize.

[frfavoreto]

Please add your +1 👍 to let us know you have encountered this

Status: RESOLVED

Overview

Until v2.131.0, CDK CLI only tried to assume the cdk-hnb659fds-lookup-role-* role during cdk diff, regardless the use of --no-change-set option.

Since v2.132.0 this is now assuming cdk-hnb659fds-deploy-role-* as well.

This creates an issue with accounts that have restrictive permissions in place, such as giving permissions for the lookup role to be assumed only.

Expected Behavior

Continue to assume the lookup role only, or mention this change in design on the docs.

Current Behavior

When running cdk diff using a target account without permissions to assume the deploy role, it fails:

[12:31:37] Retrieved account ID xxxxxxxxxxxx from disk cache
[12:31:37] Assuming role 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-lookup-role-xxxxxxxxxxxx-eu-west-1'.
[12:31:37] Retrieved account ID xxxxxxxxxxxx from disk cache
[12:31:37] Assuming role 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-deploy-role-xxxxxxxxxxxx-eu-west-1'.
[12:31:37] Assuming role failed: User: arn:aws:iam::xxxxxxxxxxxx:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-deploy-role-xxxxxxxxxxxx-eu-west-1

Until v2.131.0, only the lookup role was assumed for cdk diff:

[12:54:15] Retrieved account ID xxxxxxxxxxxx from disk cache
[12:54:15] Assuming role 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-lookup-role-xxxxxxxxxxxx-eu-west-1'.

Reproduction Steps

1 - Create an AWS user, assign it a policy with permission to assume the CDK lookup role only:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/cdk-*-lookup-role-*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "iam:ResourceTag/aws-cdk:bootstrap-role": "lookup"
                }
            }
        }
    ]
}

2 - Set up this user for use in the AWS CLI agent

3 - Install npm i -g aws-cdk@2.132.0 --save (same for 2.132.1)

4 - Run cdk diff on any project, it will error out as per above.

5 - Downgrade to v2.131.0 or lower to compare.

Workaround

Workaround to get the expected behavior would be to downgrade to v2.131.0 version of aws-cdk.

Solution:

A fix is in place reverting the breaking change available from v2.133.0.

Additional Information/Context

No response

CDK CLI Version

v2.132.0 and v2.132.1

Framework Version

No response

Node.js Version

16

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response

[vinayak-kukreja]

Hey all, we have reverted the change that was impacting and released it in v2.133.0. Please let us know if you are still facing the issue.

[frfavoreto]

Confirmed this issue is gone on v2.133.0. Thanks!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.