-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
❗ NOTICE: cdk diff
tries to assume 'deploy' role and fails to authorize.
#29483
Comments
cdk diff
tries to assume 'deploy' role and fails to authorize.
Signed-off-by: Vinayak Kukreja <[email protected]>
CDK CLI notice for: aws/aws-cdk#29483
Hey all, we have reverted the change that was impacting and released it in |
Confirmed this issue is gone on |
|
Please add your +1 👍 to let us know you have encountered this
Status: RESOLVED
Overview
Until
v2.131.0
, CDK CLI only tried to assume thecdk-hnb659fds-lookup-role-*
role duringcdk diff
, regardless the use of--no-change-set
option.Since
v2.132.0
this is now assumingcdk-hnb659fds-deploy-role-*
as well.This creates an issue with accounts that have restrictive permissions in place, such as giving permissions for the lookup role to be assumed only.
Expected Behavior
Continue to assume the
lookup
role only, or mention this change in design on the docs.Current Behavior
When running
cdk diff
using a target account without permissions to assume thedeploy
role, it fails:Until v2.131.0, only the
lookup
role was assumed forcdk diff
:Reproduction Steps
1 - Create an AWS user, assign it a policy with permission to assume the CDK lookup role only:
2 - Set up this user for use in the AWS CLI agent
3 - Install
npm i -g [email protected] --save
(same for 2.132.1)4 - Run
cdk diff
on any project, it will error out as per above.5 - Downgrade to
v2.131.0
or lower to compare.Workaround
Workaround to get the expected behavior would be to downgrade to
v2.131.0
version ofaws-cdk
.Solution:
A fix is in place reverting the breaking change available from v2.133.0.
Additional Information/Context
No response
CDK CLI Version
v2.132.0
andv2.132.1
Framework Version
No response
Node.js Version
16
OS
Mac
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: