CDK Bootstrap roles

[pfried]

Thank you @rafaelgsr for the example,

I was actually led here by my stackoverflow question at: https://stackoverflow.com/questions/69806861/add-permissions-to-aws-cdk-pipelines-cross-account-execution-role/69965471#69965471

In your example the roles are "manually" setup. I was looking for a solution more inline with my current cdk pipeline model.

Would it be possible to use the existing bootstrapping roles?

[rafaelgsr]

Hey @pfried! Thanks for reaching out.

My idea when I first created this sample was to demonstrate how you can create the pipeline and roles/policies manually. If you need something more automated with proven defaults, I recommend you take a look at CDK Pipelines. This is a link to the documentation, and this is a good blog post about it. If you are using Python, I also recommend this blog.

I have also a hands-on workshop where I go through the creation of such CI/CD Pipeline. I'm releasing a new version of the workshop this week.

Does that help? Please ping me if you still need some support.

[pfried]

Dear @rafaelgsr

My current state is "exactly" the outcome of the workshop. I do have a CDK Pipeline with three accounts: Pipeline Account, Dev, Prod

I now have the need to access cross account resources which are owned by the Pipeline Account (kms keys, route53 domains, ...). This repository is showing exactly this but I imagine something more declarative

Ideally I could attach an inline policy to the exec rule of the Dev and Prod stack. As in my case the Pipeline Account also owns the resources I could image something similar to the approch for the context lookup

[pfried]

I guess this needs programmtic access and the usage of switchRoles. So this cannot be easily done in cdk.

For the domain part I delegated the access to the Dev and Prod accounts. For my other needs I setup Custom Resources, this works for now