(cdk): diff ignores --role-arn
See original GitHub issueWhat is the problem?
cdk --role-arn arn:aws:iam::123:role/xxx diff
still tries to assume the default cdk-hnb659fds-deploy-role-123-us-xxx
role. We want to use custom limited roles and this limitation means we are forced to give diff
users full access to target accounts with the deploy role.
I believe the problem is with this line:
It needs to pass along args.roleArn
to prepareSdkFor()
just like bootstrap
and deploy
commands do.
Reproduction Steps
Setup a profile that cannot assume the deploy role, but can assume another role that has access to read stacks (xxx
in this example). Use:
cdk --role-arn arn:aws:iam::123:role/xxx diff
What did you expect to happen?
I would expect CDK to assume the role I asked it to assume and successfully print a diff.
What actually happened?
Could not assume role in target account using current credentials (which are for account 123) User: arn:aws:sts::123:assumed-role/instance-role/i-123 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123:role/cdk-hnb659fds-deploy-role-123-us-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
CDK CLI Version
1.129.0
Framework Version
1.121.0
Node.js Version
16.12.0
OS
macOS Big Sur
Language
Python
Language Version
3.8
Other information
Also reported on StackOverflow https://stackoverflow.com/questions/68422581/cdk-diff-with-read-only-permissions-what-is-a-good-way
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (6 by maintainers)
Top GitHub Comments
I believe fixing this would ultimately require a change to what --role-arn means, since this is the role that gets used when the deploy role interacts with cloudformation and is not the role that the cdk assumes when interacting with the a destination account for a CDK diff or deploy.
With that said, we have the same fundamental problem outlined in this issue. Out of the box, we cannot give users or CI/CD systems the ability to run a diff without also giving them the ability to do a deploy. I’d like to see a new role, less empowered, that allows for diffs but not deploys/deletes. The PR tied to this issue appears to do that but was closed.
Hi everyone, I still don’t get it how can we run “cdk diff” without deployment permissions. In my case, I would like to run “cdk diff” directly from GitHub Actions (so the keys would be saved as GitHub Secrets). How can I be sure that I only give Read permissions to those?