❗ NOTICE: cdk diff
tries to assume 'deploy' role and fails to authorize.
#29483
Labels
@aws-cdk/cloudformation-diff
@aws-cdk/core
Related to core CDK functionality
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
investigating
This issue is being investigated and/or work is in progress to resolve the issue.
p0
package/tools
Related to AWS CDK Tools or CLI
Please add your +1 👍 to let us know you have encountered this
Status: RESOLVED
Overview
Until
v2.131.0
, CDK CLI only tried to assume thecdk-hnb659fds-lookup-role-*
role duringcdk diff
, regardless the use of--no-change-set
option.Since
v2.132.0
this is now assumingcdk-hnb659fds-deploy-role-*
as well.This creates an issue with accounts that have restrictive permissions in place, such as giving permissions for the lookup role to be assumed only.
Expected Behavior
Continue to assume the
lookup
role only, or mention this change in design on the docs.Current Behavior
When running
cdk diff
using a target account without permissions to assume thedeploy
role, it fails:Until v2.131.0, only the
lookup
role was assumed forcdk diff
:Reproduction Steps
1 - Create an AWS user, assign it a policy with permission to assume the CDK lookup role only:
2 - Set up this user for use in the AWS CLI agent
3 - Install
npm i -g aws-cdk@2.132.0 --save
(same for 2.132.1)4 - Run
cdk diff
on any project, it will error out as per above.5 - Downgrade to
v2.131.0
or lower to compare.Workaround
Workaround to get the expected behavior would be to downgrade to
v2.131.0
version ofaws-cdk
.Solution:
A fix is in place reverting the breaking change available from v2.133.0.
Additional Information/Context
No response
CDK CLI Version
v2.132.0
andv2.132.1
Framework Version
No response
Node.js Version
16
OS
Mac
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: