(cdk): diff ignores --role-arn

[amirfireeye]

What is the problem?

cdk --role-arn arn:aws:iam::123:role/xxx diff still tries to assume the default cdk-hnb659fds-deploy-role-123-us-xxx role. We want to use custom limited roles and this limitation means we are forced to give diff users full access to target accounts with the deploy role.

I believe the problem is with this line:

https://github.com/aws/aws-cdk/blob/74776f393462f7e7d23cb1953ef786a823adc896/packages/aws-cdk/lib/cdk-toolkit.ts#L104

It needs to pass along args.roleArn to prepareSdkFor() just like bootstrap and deploy commands do.

Reproduction Steps

Setup a profile that cannot assume the deploy role, but can assume another role that has access to read stacks (xxx in this example). Use:

cdk --role-arn arn:aws:iam::123:role/xxx diff

What did you expect to happen?

I would expect CDK to assume the role I asked it to assume and successfully print a diff.

What actually happened?

Could not assume role in target account using current credentials (which are for account 123) User: arn:aws:sts::123:assumed-role/instance-role/i-123 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123:role/cdk-hnb659fds-deploy-role-123-us-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

CDK CLI Version

1.129.0

Framework Version

1.121.0

Node.js Version

16.12.0

OS

macOS Big Sur

Language

Python

Language Version

3.8

Other information

Also reported on StackOverflow https://stackoverflow.com/questions/68422581/cdk-diff-with-read-only-permissions-what-is-a-good-way

[igilham]

I'm finding this problem to also exist for the deploy command e.g. cdk -r arn:aws:iam:::role/my-cfn-role deploy MyStack.

Using CDK 2.5.0 NodeJS on MacOS.

[mek88]

I believe fixing this would ultimately require a change to what --role-arn means, since this is the role that gets used when the deploy role interacts with cloudformation and is not the role that the cdk assumes when interacting with the a destination account for a CDK diff or deploy.

With that said, we have the same fundamental problem outlined in this issue. Out of the box, we cannot give users or CI/CD systems the ability to run a diff without also giving them the ability to do a deploy. I'd like to see a new role, less empowered, that allows for diffs but not deploys/deletes. The PR tied to this issue appears to do that but was closed.

[igilham]

That's useful context - thanks, @mek88.

I can confirm that CDK commands work if the --role-arn you assume has sufficient permissions to perform the operations that CDK invokes, but it will still try to assume the bootstrapped roles anyway. The CLI warns the user when this fails. So it works but the CLI output is messy and a little disingenuous.

Maybe the CLI messaging and related documentation could be clearer to help us to know what to expect.

Calling for more granularity of roles may be best to split into another issue.

[corymhall]

A couple of things have been changed/added recently that should address this. cdk diff now assumes the lookup bootstrap role which has read only permissions. In addition if you do not want to use the bootstrap roles at all you can use the CliCredentialsStackSynthesizer which uses the current credentials and does not attempt to assume any roles.

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib-readme.html#stack-synthesizers

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.