Disable fallback to user's role when a cdk-* role cannot be assumed
#30236
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
Comments
lobodpav
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-iam
|
Thank you for your feedback. We definitely need to hear more thoughts from the community. Please help us prioritize with 👍. |
pahud
added
p2
effort/medium
|
I think I'm running into a similar issue in a different context. I'm using CodeBuild for GitHub Actions runners. And CodeBuild of course has native identity via EC2 metadata lookup. So synth step always tried to use it for lookup and of course the CodeBuild doesn't have the right policies because it's only meant to be used for GH Actions which just performs the basic build steps. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Describe the feature
When running
deployordestroycommands, it would be amazing if the CDK would fail when acdk-*role cannot be assumed (e.g.cdk-lookuporcdk-deploy).Use Case
It's very easy to use/paste an incorrect Account ID in the
CDK_DEPLOY_ACCOUNTwhen running CDK locally. When that happens, users can accidentally deploy local changes to the production environments.I know that it would have to be a coincidence of selecting the wrong account ID along with the wrong profile. However, if CDK would not fall back to the user's profile by default, it would be possible to define a
Trust policyat thecdk-*role level allowing only pipelines (e.g. OIDC roles) to perform production deployments.Proposed Solution
cdk-*role cannot be assumed.--forceparameter that would fall back to the user's role even if the CDK roles can't be assumed.Other Information
No response
Acknowledgements
CDK version used
2.140.0
Environment details (OS name and version, etc.)
macOS 14.5
The text was updated successfully, but these errors were encountered: