iam: failed to deploy with permissions boundary

[constantintaivan]

Status

Investigating (Default)

What is the issue?

Hi,

I'm following the above setup but the deployment (cdk deploy) does not work.
I have installed on Windows the latest version for CDK and AWS CLI.
Bootstrapping was fixed and deployed successfully by using this resource: https://aws.amazon.com/blogs/mt/how-to-deploy-cdk-v2-to-an-account-that-requires-boundary-policies/

e.g.,

const boundary = iam.ManagedPolicy.fromManagedPolicyArn(this, 'Boundary', 'arn:aws:iam::xxx:policy/DenyServicesSecurityStuff-policy');
iam.PermissionsBoundary.of(this).apply(boundary)

Thanks
Constantin

Error message

MyTask/TaskRole (MyTaskTaskRole560858C4) Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::xxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xx-eu-central-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxx:role/SqsFargateServiceStack-MyTaskTaskRole560858C4-CUjtntvC38J4 with an explicit deny in a permissions boundary (Service: Iam, Status Code: 403, Request ID: 52393d51-805e-4bee-86d8-a49072c0f03e)"

What is the impact?

I'm following this tutorial: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/run-message-driven-workloads-at-scale-by-using-aws-fargate.html

I can not deploy resources to company AWS account which requires certain permission boundaries.

The CDK deployment works within a new AWS free account.

Workaround

No response

Who is affected?

This is a POC for the moment. The goal is to connect the Fargate to the Queue and achieve longer processing times than the ones with Lambda functions which are bound to 15m execution.

How do I resolve this?

Use another tool for deployment e.g. Terraform

Related issues

#22745

[pahud]

Hi

Please clarify

1. How did you bootstrap your CDK? Can you share the full command?
2. Can you share your minimal reproducible CDK code snippets that returns the error so we can reproduce it in our account?
3. What is your CDK version?

[constantintaivan]

Hi @pahud

1. cdk bootstrap --template bootstrap-template.yaml - here I've used the modified template according to this article. I've been adding the PermissionsBoundary as part of role creation, see below (without this, I could not do the bootstrapping, same errors as in the article)

2. I'm doing a POC around this pattern . It uses Typescript to deploy resources. So, the idea was to use the same policy as in bootstrapping. The code is in FargateServiceStack.ts where I have been adding the policy as following:

const boundary = iam.ManagedPolicy.fromManagedPolicyArn(this, 'Boundary', 'arn:aws:iam::xxx:policy/DenyServicesSecurityStuff-policy');  
iam.PermissionsBoundary.of(this).apply(boundary)

or adding as part of cdk.json - but didn't work too

 "@aws-cdk/core:permissionsBoundary": {
      "name": "DenyServicesSecurityStuff-policy"
    },

3. CDK Version: 2.152.0 (build faa7d79)

bootstrap-template.yaml - this was modified by adding the PermissionsBoundary in 5 places; see it attached
[bootstrap-template.txt](https://github.com/user-attachments/files/16682624/bootstrap-template.txt)

DeploymentActionRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            AWS:
              Ref: AWS::AccountId
        - Fn::If:
          - HasTrustedAccounts
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              AWS:
                Ref: TrustedAccounts
          - Ref: AWS::NoValue
      PermissionsBoundary: arn:aws:iam::xxx:policy/DenyServicesSecurityStuff-policy

[pahud]

Hi

Thank you for sharing the context of the issue.

The blog post you mentioned was posted in 2022 and was not authored by CDK team and the repository in it was aws-samples/aws-cdk-v2-bootstrap, which is not maintained and owned by CDK team as well. We can't validate the behavior from the code in that repository today as it's not maintained by us. I would suggest you report this issue to that repo https://github.com/aws-samples/aws-cdk-v2-bootstrap/issues. Also, I would reach out to relevant team internally to have their attention.

If you need to enable the permission boundary on cdk bootstrap, please reference this document:
https://docs.aws.amazon.com/cdk/v2/guide/customize-permissions-boundaries.html

I hope you find it useful. If you encounter any issue from the document, please create a new issue about that for us. Thank you.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.