cdk bootstrap: Can't use Bootstrap roles with IAM path and permission boundaries

[hsaleem11]

Describe the bug

Our team is facing issues deploying our cdk project into a new AWS account. We have bootstrapped the account using the bootstrap template here: https://github.com/aws/aws-cdk/blob/v1-main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

We have customized that template to include a permissions boundary and path for all the CDK roles that are created. We have deployed the bootstrap template with the aws cli (followed this helpful guide here: https://medium.com/@imageryan/bootstrapping-aws-cdk-in-a-secure-environment-9bc778ea6d94)

aws cloudformation create-stack \\
          --region us-east-1 \\
          --capabilities CAPABILITY_NAMED_IAM \\
          --template-body file://bootstrap.yml \\
          --parameters ParameterKey=PermissionsBoundaryPolicy,ParameterValue=${permissionBoundaryPolicy} \\
              ParameterKey=PathBoundary,ParameterValue=${pathBoundary} \\
              ParameterKey=CloudFormationExecutionPolicies,ParameterValue=${execRolePolicy} \\
              ParameterKey=TrustedAccounts,ParameterValue=123456 \\
          --stack-name CDKToolkit

Our ${pathBoundary} is: /delegatedadmin/developer/, and the ${execRolePolicy} is just the default: arn:aws:iam::aws:policy/AdministratorAccess

These are the roles that our customized template created (with custom IAM path):

• arn:aws:iam::123456:role/delegatedadmin/developer/cdk-hnb659fds-cfn-exec-role-123456-us-east-1
• arn:aws:iam::123456:role/delegatedadmin/developer/cdk-hnb659fds-deploy-role-123456-us-east-1
• arn:aws:iam::123456:role/delegatedadmin/developer/cdk-hnb659fds-file-publishing-role-123456-us-east-1
• arn:aws:iam::123456:role/delegatedadmin/developer/cdk-hnb659fds-image-publishing-role-123456-us-east-1
• arn:aws:iam::123456:role/delegatedadmin/developer/cdk-hnb659fds-lookup-role-123456-us-east-1

The problem is that when we do a cdk deploy in our pipeline, it returns this error message:

[19:02:56] Assuming role failed: User: arn:aws:iam::123456:user/Jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/cdk-hnb659fds-deploy-role-123456-us-east-1

[19:02:56] Could not assume role in target account using current credentials User: arn:aws:iam::123456:user/Jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/cdk-hnb659fds-deploy-role-123456-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

current credentials could not be used to assume 'arn:aws:iam::123456:role/cdk-hnb659fds-deploy-role-123456-us-east-1', but are for the right account. Proceeding anyway.

It looks like the credentials for the user is correct, but for some reason the cdk deploy is only using the role without the /delegatedadmin/developer/ path. I don't know where that role is coming from, it does not exist in our account because we only have the roles created from the bootstrap template above.

Expected Behavior

The cdk deploy command should successfully deploy the stack in the right account, with the IAM role that includes our custom path and permissions boundary.

Current Behavior

[19:02:56] Could not assume role in target account using current credentials User: arn:aws:iam::123456:user/Jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/cdk-hnb659fds-deploy-role-123456-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

Reproduction Steps

Running cdk deploy command in jenkins pipeline.

Possible Solution

Maybe we bootstrapped this incorrectly? We are using cdk v2 (2.55.1), and we bootstrapped with a custom template here (branch is v1-main, not sure if that's for cdk v1): https://github.com/aws/aws-cdk/blob/v1-main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

There is a "v2" template here, but it looks similar and this is probably not the issue: https://github.com/aws/aws-cdk/blob/v2-release/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

Additional Information/Context

I also ran a cdk synth, and checked the output templates in our cdk.out directory. I noticed all the "*.assets.json" files are using the cdk roles (assumeRoleArn) without the custom IAM path, e.g.:

{
  "version": "20.0.0",
  "files": {
    "abc": {
      "source": {
        "path": "dev.template.json",
        "packaging": "file"
      },
      "destinations": {
        "123456-us-east-1": {
          "bucketName": "cdk-hnb659fds-assets-123456-us-east-1",
          "objectKey": "abc.json",
          "region": "us-east-1",
          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456:role/cdk-hnb659fds-file-publishing-role-764338169158-us-east-1"
        }
      }
    }
  },
  "dockerImages": {}
}

This could be a hint as to what our problem is, it seems the cdk synth is not generating the correct IAM roles with custom path. Just to clarify further, our cdk.context.json file is empty, there aren't any context lookups happening in our stack.

CDK CLI Version

2.55.1 (build 30f1ae4)

Framework Version

No response

Node.js Version

node: '18.12.1'

OS

alpine:3.17

Language

Typescript

Language Version

No response

Other information

No response

[rittneje]

@hsaleem11 I believe you will have to explicitly tell CDK about your custom role name by adding a custom DefaultStackSynthesizer. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.DefaultStackSynthesizer.html

Note that while the example on that page shows how to set it for an individual Stack by passing the synthesizer parameter, you can also set it for the entire App by passing the defaultStackSynthesizer.

You will need to set cloudFormationExecutionRole, deployRoleArn, fileAssetPublishingRoleArn, imageAssetPublishingRoleArn, and lookupRoleArn.

[hsaleem11]

@rittneje Can you clarify how we can pass the defaultStackSynthesizer to our entire app? We don't want to set this for each stack, we'd like to pass it once for the entire App. But the App props does not have the defaultStackSynthesizer property: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_core.AppProps.html

[rittneje]

Those are the docs for CDK v1. You want v2. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.AppProps.html

[khushail]

Those are the docs for CDK v1. You want v2. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.AppProps.html

Thanks @rittneje for sharing this updated reference as a solution. This should resolve the issue @hsaleem11 is facing.

@hsaleem11 , let us know if you need any further assistance. Thanks

[hsaleem11]

thanks, I will test this out and respond back here once I confirm it works

[hsaleem11]

Closing this issue, the solution provided by @rittneje is working.

Thanks

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[przemolb]

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.AppProps.html

The Golang row in the table on this page refers to github.com/aws/aws-cdk-go/awscdk/v2#AppProps and this URL doesn't exists - what is the correct URL ?