(cli): Review permissions structure for new changeset-based diffs #29767
Description
Describe the feature
I love the goal of the new cdk diff behavior that creates a CloudFormation changeset to more accurately show information about what will happen if you cdk deploy.
However, I've encountered many problems with existing IAM Roles and Permission Sets I've created for working with CDK.
In the past, I've always been able to create two roles: one for diff-ing and one for deploy-ing. These roles only needed to provide iam:AssumeRole for the following roles created by the CDK bootstrap process:
| Role | CDK Bootstrap Roles to Assume |
|---|---|
| Diff |
|
| Deploy |
|
Since CDK has started generating CloudFormation diffs, I've been receiving and error that, during cdk diff, the role needs to assume the CDK deploy-role:
Before
> yarn cdk diff --no-change-set
yarn run v1.22.21
warning package.json: No license field
$ cdk diff --no-change-set
Stack TestCdkStack
There were no differences
✨ Number of stacks with differences: 0
✨ Done in 3.32s.After
> cdiff
yarn run v1.22.21
warning package.json: No license field
$ cdk diff
Stack TestCdkStack
current credentials could not be used to assume 'arn:aws:iam::12345678910:role/cdk-hnb659fds-deploy-role-12345678910-us-west-2', but are for the right account. Proceeding anyway.
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
There were no differences
✨ Number of stacks with differences: 0
✨ Done in 3.76s.So, I'm opening this issue suggesting that the CDK Bootstrap roles be revisited with the new CFN Changeset behaviors.
Use Case
I'm using GitHub Actions OpenID Connect roles to run cdk diff on PRs and cdk deploy on merge to my main branch. Then, I use Trust Relationships to only allow assuming the deploy role from Action Workflows run from the main branch:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::12345678910:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:blimmer/my-repo:ref:refs/heads/main"
}
}
}
]
}The diff role can be assumed by any branch, since it's assumed to be read-only. However, with the recent CloudFormation changeset diffs, these roles no longer work as expected. To generate the changelogs, they appear to need elevated permissions, including access to the deploy-role, which has the ability to cloudformation:DeleteStack and other destructive behaviors.
These OpenID Connect roles are just one example. You could also imagine Permission Sets for Developers that allow them to run cdk diff from their local computers, but they should not be allowed to run cdk deploy.
Proposed Solution
No matter the solution, I think the goal should be that CDK users can define IAM roles/policies that slot users into two buckets: people who can do non-destructive things (like cdk diff) and those who can do everything (e.g., cdk deploy).
Could we update the lookup-role to allow the cloudformation actions needed to create the changeset for diffing purposes? I think that would just include adding cloudformation:CreateChangeSet and cloudformation:DeleteChangeSet? Then, the cdk diff should not try to assume the deploy-role anymore.
Other Information
I originally thought this issue was only with the App Staging synthesizer (see #28816), but it feels like there's some overlap here. We might want to close #28816 in favor of this issue?
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
2.136.0 (build 94fd33b)
Environment details (OS name and version, etc.)
MacOS Sonoma