Incorrect Bootstrap Warning #28888
Description
Describe the bug
Running cdk diff with a profile that does not have permission to assume cdk-<guid>-deploy-role causes the warning (To get rid of this warning, please upgrade to bootstrap version >= 8) to be displayed.
Running cdk diff with a profile that can assume cdk-<guid>-deploy-role does not display the warning.
The account is bootstrapped with the latest version (20 currently).
This warning is dumped to the logs twice, once before and after the diff results are displayed.
Before:
[time] Assuming role 'arn:aws:iam::XXXXX:role/cdk-<guid>-lookup-role-XXXXX-us-east-1'.
[time] Assuming role failed: User: arn:aws:sts::XXXXX:assumed-role/Dev_Team_Role/aws-sdk-js-1706295393223 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/cdk-<guid>-lookup-role-XXXXX-us-east-1
[time] Could not assume role in target account using current credentials User: arn:aws:sts::XXXXX:assumed-role/Dev_Team_Role/aws-sdk-js-1706295393223 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/cdk-<guid>-lookup-role-XXXXX-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
current credentials could not be used to assume 'arn:aws:iam::XXXXX:role/cdk-<guid>-lookup-role-XXXXX-us-east-1', but are for the right account. Proceeding anyway.
(To get rid of this warning, please upgrade to bootstrap version >= 8)
After:
[time] Retrieved account ID XXXXX from disk cache
(To get rid of this warning, please upgrade to bootstrap version >= 8)
[time] Retrieved account ID XXXXX from disk cache
[time] Retrieved account ID XXXXX from disk cache
[time] Assuming role 'arn:aws:iam::XXXXX:role/cdk-<guid>-deploy-role-XXXXX-us-east-1'.
[time] Assuming role failed: User: arn:aws:sts::XXXXX:assumed-role/Dev_Team_Role/aws-sdk-js-1706295393223 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/cdk-<guid>-deploy-role-XXXXX-us-east-1
[time] Could not assume role in target account using current credentials User: arn:aws:sts::XXXXX:assumed-role/Dev_Team_Role/aws-sdk-js-1706295393223 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/cdk-<guid>-deploy-role-XXXXX-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
current credentials could not be used to assume 'arn:aws:iam::XXXXX:role/cdk-<guid>-deploy-role-XXXXX-us-east-1', but are for the right account. Proceeding anyway.
We do not want the dev teams to directly deploy outside of the CI/CD pipeline. So they are correctly prevented from assuming the cdk deploy role. But we do want them to be able to run a diff. This warning however, is causing confusion. I'm also confused as to why it mentions bootstrap version 8. Seeing as the stack was deployed on version 19 and we are currently on version 20.
Expected Behavior
I expect to not get this warning message: (To get rid of this warning, please upgrade to bootstrap version >= 8).
Current Behavior
It currently displays this warning message: (To get rid of this warning, please upgrade to bootstrap version >= 8).
Reproduction Steps
Run a cdk diff using a profile that does not have permission to assume cdk-<guid>-deploy-role.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.123.0 (build a594112)
Framework Version
No response
Node.js Version
v20.10.0
OS
Windows 10
Language
Python
Language Version
Python 3.12.1
Other information
No response