Skip to content

(eks): cluster only trusts cloudformation execution role with modern synthesis #16888

Closed
#18963
Closed
(eks): cluster only trusts cloudformation execution role with modern synthesis#16888
#18963
Labels
@aws-cdk/aws-eksRelated to Amazon Elastic Kubernetes ServicebugThis issue is a bug.p1package/toolsRelated to AWS CDK Tools or CLI
@mipearson

Description

@mipearson
mipearson
opened on Oct 9, 2021

General Issue

Can't use CLI credentials when deploying stacks in CDK v2, causing issues with default EKS RBAC

The Question

There doesn't seem to be a way to fall back to the old behaviour of using the CLI credentials to deploy CF stacks rather than the execution role that CDK Boostrap creates.

This is an issue for EKS, where new clusters are created by default with the creator's role being the only one with master permissions. If you're using CfnCluster rather than the custom resource based provider, this means that you can't then fix the RBAC after the stack has finished creating, as the only entity that the cluster "trusts" is the cloudformation-only deploy role.

I would prefer not to use the CDK custom resource based provider.

CDK CLI Version

2.0.0-rc.23 (build 1e54fb9)

Framework Version

No response

Node.js Version

No response

OS

No response

Language

Typescript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-eksRelated to Amazon Elastic Kubernetes ServicebugThis issue is a bug.p1package/toolsRelated to AWS CDK Tools or CLI

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions