(eks): cluster only trusts cloudformation execution role with modern synthesis

@samjarrett is correct.

There’s three issues here:

(a) The first is that the documentation of BootstraplessStackSynthesizer is incorrect: it states that it’ll use the CLI credentials, but does not, as there’s a ||= in the code of the class BootstraplessStackSynthesizer is extending that reverts to using the created role as a default. (edit: and most importantly there’s no way to force it to use the CLI credentials without cooking up your own synthesizer, as in my example)

(b) Creating an EKS cluster via CfnCluster using this created role means the cluster can’t be accessed, as there’s no way to set up the master role mapping. There may be other similar issues with other resources & people’s expectations that the CLI role/user is the one used.

© This decision overall has some security implications that may be surprising, as @samjarrett pointed out. They were surprising to me! On the other hand, it’s a nice workaround to “oops my assumed role timed out in the middle of my big stack apply”.

I ran into this issue upgrading to CDK 2 today. I realised due a PutKeyPolicy failure, which was due to the cfn-exec role not being on the key’s admin list (whereas the role provided via aws env vars credentials is).

There are other scenarios where we’d like to be using the role provided via env credentials, and not a cfn-exec role with extremely wide permissions. For example, we typically run CFN deploys with roles that don’t allow data destruction (to prevent accidental RDS “replacements” etc). To perform those actions a separate role needs to be assumed in order to make the action intentional (i.e aws-vault exec my-account-data-destroyer -- yarn cdk deploy ...). It’s not possible to use roles like this anymore if cdk deploy can’t be configured to use credentials from the environment.

It would be great if the use of an assumed cloudFormationExecutionRole could be disabled somehow (i.e. via cdk.json), so that deploys behave similar to CDK 1 and use the provided credentials in ENV when available.

This is a workaround for DefaultStackSynthesizer that avoids having to replace the synthesize function (using 2.0.0-rc.27):

class DefaultStackSynthesizerWithoutDefaultCloudFormationExecutionRole extends DefaultStackSynthesizer {
  protected emitStackArtifact(stack: Stack, session: ISynthesisSession, options: SynthesizeStackArtifactOptions = {}) {
    super.emitStackArtifact(stack, session, {
      ...options,
      cloudFormationExecutionRoleArn: undefined,
    });
  }
};

// Then make sure it's used in every cdk.Stack:
export class MyBaseCdkStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: cdk.StackProps) {
    super(scope, id, {
      ...props,
      synthesizer: new DefaultStackSynthesizerWithoutDefaultCloudFormationExecutionRole(),
    });
  }
}

Using the LegacyStackSynthesizer is also an option. I added "@aws-cdk/core:newStyleStackSynthesis": false to cdk.json, and it requires the new CDKToolkit stack from CDK v2 bootstrap, and works as expected using the provided role credentials in ENV.