(aws_cdk.pipelines): ConfirmPermissionsBroadening only diffs on template differences #33061
Description
Describe the bug
When using the ConfirmPermissionsBroadening check on a cross account stage, the CodeBuild project lacks permissions to assume neccesary roles in the target account, cannot create a cfn changeset and performs a diff only on template differences.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
A cloudformation changeset is being created in the target account and used as source to evaluate security related changes.
Current Behavior
Changeset cannot be created due to missing permissions on the Codebuild projects
fail: Could not assume role in target account using current credentials (which are for account <source account>) User: arn:aws:sts::<source account>:assumed-role/CdkCrossAccountConfirmPer-PipelinePipelinesSecurity-<redacted>/AWSCodeBuild-<redacted> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<target account>:role/cdk-hnb659fds-file-publishing-role-<redacted>-eu-central-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
--
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
The target account is properly bootstrapped, the trust policy of the file publishing role allows sts assume role from the source account.
The codebuild service role has a condition on the relevant policy that prevents assuming the file publishing role:
{
"Condition": {
"ForAnyValue:StringEquals": {
"iam:ResourceTag/aws-cdk:bootstrap-role": [
"deploy"
]
}
},
"Action": "sts:AssumeRole",
"Resource": "*",
"Effect": "Allow"
},
Reproduction Steps
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import { Repository } from "aws-cdk-lib/aws-codecommit";
import {
CodePipeline,
CodePipelineSource,
ConfirmPermissionsBroadening,
ShellStep,
} from "aws-cdk-lib/pipelines";
import * as sqs from "aws-cdk-lib/aws-sqs";
export class ExampleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const queue = new sqs.Queue(this, "ExampleQueue");
}
}
class MyApplication extends cdk.Stage {
constructor(scope: Construct, id: string, props?: cdk.StageProps) {
super(scope, id, props);
new ExampleStack(this, "ExampleStack");
}
}
export class CdkCrossAccountConfirmPermissionBroadeningStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const repo = new Repository(this, "CodeCommitRepo", {
repositoryName: "TestRepo",
});
const pipeline = new CodePipeline(this, "Pipeline", {
pipelineName: "CodeArtifactNPMPipeline",
crossAccountKeys: true,
synth: new ShellStep("Synth", {
input: CodePipelineSource.codeCommit(repo, "main"),
commands: ["npm ci", "npm run build", "npx cdk synth"],
}),
});
const stage = new MyApplication(this, "Prod", {
env: { account: "<target account>", region: "eu-central-1" },
});
pipeline.addStage(stage, {
pre: [new ConfirmPermissionsBroadening("Check", { stage })],
});
}
}Possible Solution
Fix the codebuild role
Additional Information/Context
No response
CDK CLI Version
2.176.0
Framework Version
No response
Node.js Version
v23.4.0
OS
MacOS
Language
TypeScript
Language Version
No response
Other information
No response