(app-staging-synthesizer-alpha): Existing CDK diff IAM policies do not work with AppStagingSynthesizer #28816
Description
Describe the bug
I deploy my AWS CDK applications via GitHub actions. When a pull request is opened, I assume an IAM role (via OIDC) to run the cdk diff and post it back to the PR for author review.
The diff role that works with the DefaultStackSynthesizer looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*",
"arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
],
"Effect": "Allow",
"Sid": "AllowAssumeCdkDiffRoles"
}
]
}With the DefaultStackSynthesizer, this works great.
However, this role does not work with AppStagingSynthesizer. The failure I get is:
GitHubActionsCdkDiff is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-2:REDACTED:stack/StagingStack-MYAPPID/f88beee0-b6ff-11ee-88b6-02de35b05309 because no identity-based policy allows the cloudformation:DescribeStacks action
Through trial and error, the final statement I needed to add looked like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:PassRole",
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*",
"arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
],
"Effect": "Allow",
"Sid": "AllowAssumeCdkDiffRoles"
},
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate"
],
"Resource": "arn:aws:cloudformation:*:*:stack/StagingStack-MYAPPID/*",
"Effect": "Allow",
"Sid": "AllowDiffingAppStagingStacks"
}
]
}Expected Behavior
From the documentation, it seems like the existing bootstrap roles should be used, just as with the default synthesizer.
The Roles from the default bootstrap stack are still used (though their use can be turned off).
I might be confused by this documentation but, the way I read it, makes me think my existing roles should still work.
Current Behavior
The cdk diff fails with an IAM error until I grant additional permissions to my OIDC role.
GitHubActionsCdkDiff is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-2:REDACTED:stack/StagingStack-MYAPPID/f88beee0-b6ff-11ee-88b6-02de35b05309 because no identity-based policy allows the cloudformation:DescribeStacks action
Reproduction Steps
- Create an app with the
AppStagingSynthesizerlike this:
#!/usr/bin/env node
import "source-map-support/register";
import { MyStack } from "../lib/MyStack";
import { App, Environment, Tags } from "aws-cdk-lib";
import { AppStagingSynthesizer } from "@aws-cdk/app-staging-synthesizer-alpha";
const appId = "MYAPPID";
const app = new App({
defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
appId,
}),
});
const env: Environment = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: "us-east-2",
};
Tags.of(app).add("service", appId);
new MyStack(app, "MyStack", {
env,
});- Create a "diff" role, as before:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/cdk-hnb659fds-cfn-exec-role-*",
"arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*"
],
"Effect": "Allow",
"Sid": "AllowAssumeCdkDiffRoles"
}
]
}- Assume this role locally.
- Run
cdk diff. You'll receive the access denied error.
Possible Solution
Ideally, the same bootstrap roles could be used whether you're using the default synthesizer or the AppStagingSynthesizer.
Additional Information/Context
No response
CDK CLI Version
2.122.0 (build 7e77e02)
Framework Version
No response
Node.js Version
v20.11.0
OS
MacOS
Language
TypeScript
Language Version
No response
Other information
Bootstrap version is v18