(cli): does not properly set externalId when trying to assume lookupRole #22535
Description
Describe the bug
The lookup role doesn't seem to be assumable through CDK when requiring an external id. All other roles (deploy, file publishing, image publishing) properly set the external id, however the lookup role isn't working.
Expected Behavior
I expect the lookup role to be assumable when requiring an external ID
Current Behavior
Throws error:
Could not assume role in target account using current credentials (which are for account 181354823827)
User: arn:aws:iam::181354823827:user/test is not authorized to perform: sts:AssumeRole
on resource: arn:aws:iam::676158502875:role/cdk-hnb659fds-lookup-role-676158502875-eu-west-1 .
Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap
the environment with the right '--trust', using the latest version of the CDK CLI.
Reproduction Steps
Bootstrap an environment in account A with cdk bootstrap aws://123456789012/eu-west-1 --trust 111122223333 --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --trust-for-lookup 111122223333. Then modify the trust policy on the four roles described above to require an external id when account B is assuming the role. (Note: --trust-for-lookup is redundant if --trust is also specified for the same account and doesn't fix the issue whether you use it or not)
In the CDK app, pass in these external ids to the stack to be deployed like so
new ExternalIdStack(app, 'ExternalIdTestingStack', {
synthesizer: new DefaultStackSynthesizer({
lookupRoleExternalId: 'myexternalid',
deployRoleExternalId: 'myexternalid',
fileAssetPublishingExternalId: 'myexternalid',
imageAssetPublishingExternalId: 'myexternalid'
}),
env: {
region: 'eu-west-1', account: testAccountId
}
})Inside the stack, you can test the various roles by commenting out each section. Both the image role and file role succeed deployment, indicating that the image role, file role, and deploy role all can be assumed through CDK when an external ID is required. However even with the exact same trust policy as the others, the lookup role never succeeds.
// Test Lookup Role
Vpc.fromLookup(this, 'Vpc', {
vpcName: 'MyVpc'
});
// Test File Role
// new BucketDeployment(this, 'BucketDeployment', {
// sources: [Source.asset('./assets')],
// destinationBucket: new Bucket(this, 'DestinationBucket', {
// autoDeleteObjects: true,
// removalPolicy: RemovalPolicy.DESTROY
// }),
// });
// Test Image Role
// const td = new TaskDefinition(this, 'TaskDefinition', {
// compatibility: Compatibility.EC2_AND_FARGATE,
// cpu: '1024',
// memoryMiB: '2048'
// });
// td.addContainer('MyContainer', {
// image: ContainerImage.fromAsset('./docker'),
// memoryLimitMiB: 2048
// })Possible Solution
On a quick look the code seemed to pass this properly all the say to the Sdk provider. Though I'm not sure what else would be interfering with this
Additional Information/Context
No response
CDK CLI Version
2.46.0
Framework Version
No response
Node.js Version
16
OS
Mac
Language
Typescript
Language Version
No response
Other information
This was originally reported in a SIM ticket, I was able to reproduce and investigated the other roles as well