[AwsCustomResource]: (assumeRoleArn defined in non-opt-in region while assume in opt-in region cause permission issue)

[chensy-aws]

Describe the bug

for AwsCustomResource, the AwsSdkCall have assumeRoleArn that we can assume to proceed the SdkCall.

But the default sts endpoint is set to regional, and default region in our case an opt-in region. However, the role is created/defined under a root account in non-opt-in region(we cannot enable all opt-in region for that account). With the incorrect sts endpint point the assumeRole failed with permission issue.

Expected Behavior

sts Assume Role success and AwsSdkCall can proceed with success response.

Current Behavior

Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'CredentialsError',
  time: 2023-07-19T01:26:20.624Z,
  requestId: '***********',
  statusCode: 403,
  retryable: false,
  retryDelay: 30.07614769919884,
  originalError: {
    message: 'Could not load credentials from ChainableTemporaryCredentials',
    code: 'CredentialsError',
    time: 2023-07-19T01:26:20.624Z,
    requestId: '*****************',
    statusCode: 403,
    retryable: false,
    retryDelay: 30.07614769919884,
    originalError: {
      message: 'User: arn:aws:sts::*********:assumed-role/********* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::**********:role/*******',
      code: 'AccessDenied',
      time: 2023-07-19T01:26:20.565Z,
      requestId: '******',
      statusCode: 403,
      retryable: false,
      retryDelay: 30.07614769919884
    }
  }
}

Reproduction Steps

Create an AwsCustomResource in opt-in region to assume a Role define in an account which did not enable this opt-in region.

Possible Solution

We tried all combinations of region vs stsEndpoint:

case 1, default region(opt-in region) with global sts endpoint. -> FAILED
case 2, non opt-in region with global sts endpoint. -> SUCCEED
case 3, default region(opt-in region) with regional sts endpoint. -> FAILED
case 4, non opt-in region with regional sts endpoint. -> SUCCEED

So in either cases, we need to override the default region to a non-opt-in region!! So requesting to expose this sts region option to the user. the AwsSdkCall do have a region option, but the region is NOT used for sts assume role.

Additional Information/Context

No response

CDK CLI Version

2.73.0

Framework Version

No response

Node.js Version

18

OS

AL2

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

I am afraid this is related to JS SDK rather than CDK.

Which opt-in region is that in your case?

Let me rephrase it.

Account A in an opt-in region was deploying a CDK custom resource that assumes to another role from Account B which does not opt-in this region, and the custom resource just failed with lambda log as you provided above. Is it correct?

[pahud]

Are you sure you are using CDK 2.1.4 ?

Can you confirm your CDK version?

[mrgrain]

Stack trace indicates this is using SDK v2: /var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:2
Note the aws-sdk and not @aws-sdk/whatever

[chensy-aws]

I am afraid this is related to JS SDK rather than CDK.

Which opt-in region is that in your case?

Let me rephrase it.

Account A in an opt-in region was deploying a CDK custom resource that assumes to another role from Account B which does not opt-in this region, and the custom resource just failed with lambda log as you provided above. Is it correct?

Yes. the opt-in region we tested is ap-east-1 and me-south-1

This can be either CDK problem or SDK issue, if we want to force(hardcode) the assume region to be Account B non-opt-in region, it will be an SDK issue, but this may be an issue for some special case.

If we want to provide the override option for assumeRole region in this case, CDK also needs some update to support. Not sure about the decision from CDK team for AwsCustomResource

[chensy-aws]

Are you sure you are using CDK 2.1.4 ?

Can you confirm your CDK version?

Actually, we are using

"aws-cdk-lib": 2.73.0,
"aws-cdk": 2.73.0",