Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(cdk): diff ignores --role-arn
See original GitHub issueWhat is the problem?
cdk --role-arn arn:aws:iam::123:role/xxx diff still tries to assume the default cdk-hnb659fds-deploy-role-123-us-xxx role. We want to use custom limited roles and this limitation means we are forced to give diff users full access to target accounts with the deploy role.
I believe the problem is with this line:
It needs to pass along args.roleArn to prepareSdkFor() just like bootstrap and deploy commands do.
Reproduction Steps
Setup a profile that cannot assume the deploy role, but can assume another role that has access to read stacks (xxx in this example). Use:
cdk --role-arn arn:aws:iam::123:role/xxx diff
What did you expect to happen?
I would expect CDK to assume the role I asked it to assume and successfully print a diff.
What actually happened?
Could not assume role in target account using current credentials (which are for account 123) User: arn:aws:sts::123:assumed-role/instance-role/i-123 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123:role/cdk-hnb659fds-deploy-role-123-us-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
CDK CLI Version
1.129.0
Framework Version
1.121.0
Node.js Version
16.12.0
OS
macOS Big Sur
Language
Python
Language Version
3.8
Other information
Also reported on StackOverflow https://stackoverflow.com/questions/68422581/cdk-diff-with-read-only-permissions-what-is-a-good-way
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I believe fixing this would ultimately require a change to what --role-arn means, since this is the role that gets used when the deploy role interacts with cloudformation and is not the role that the cdk assumes when interacting with the a destination account for a CDK diff or deploy.
With that said, we have the same fundamental problem outlined in this issue. Out of the box, we cannot give users or CI/CD systems the ability to run a diff without also giving them the ability to do a deploy. I’d like to see a new role, less empowered, that allows for diffs but not deploys/deletes. The PR tied to this issue appears to do that but was closed.
Hi everyone, I still don’t get it how can we run “cdk diff” without deployment permissions. In my case, I would like to run “cdk diff” directly from GitHub Actions (so the keys would be saved as GitHub Secrets). How can I be sure that I only give Read permissions to those?