CDK --role-arn parameter and suppling permission boundaries

[dguisinger]

Hey guys, I've had a frustrating few days getting acquainted with CDK. The organization I am working for isn't sold on CDK and my experience is not going to help.

I ran into two issues:

1. cdk bootstrap --role-arn doesn't appear to do anything.
   When I use this parameter, the CDK attempts to use the role but says it can't assume it. Yet when I go to the same command prompt and type "aws sts assume-role" using the same ARN, I get a valid set of credentials back.

I worked around it by adding a role profile to my .aws/config file which assumes the role. Its a work around, and we use a script to get our AWS credentials using our Active Directory accounts which timeout every 30 minutes - and that script overwrites our .aws/config and .aws/credential files. As you can imagine, having to maintain a profile in the config file after it gets wiped out every 30 minutes is just not useful to us.

2. Our organization relies on Permission Boundaries on our IAM roles. We can't create new roles without them. CDK Bootstrap fails to deploy due to this.

I was able to work around it by using --show-template > template.yaml, manually editing all of the roles, and then running again with --template template.yaml....

But anytime we want to update our bootstrapped environment, we have to repeat this.

Is it just me or is this way too complicated? I can't sell my organization on using this if every time they go to use it they have to put in motion a whole series of kludges just to get it to run.....

[indrora]

Duplicate-ish of #19715 and #21937

There is a customer article on a process similar to yours that may be of interest: https://medium.com/@imageryan/bootstrapping-aws-cdk-in-a-secure-environment-9bc778ea6d94

[dguisinger]

I don't see anything in #19715 or #21937 that is related to permission boundaries.

This is a year-and-a-half old post and I still remember how frustrated I was trying to get it to work. As I mentioned, we had a high-touch workaround. The Medium article shows a similar to what we did.

Personally, closing this frustrates me... The whole point of CDK is to make things easier. Developers don't want to spend their time trying to figure out why a "blackbox" isn't working. Sure, its open source, but for most people using a tool, its still a black box. A developer's first experience with CDK is bootstrapping their environment, many of whom are completely new to CDK should not have to spend hours or days trying to figure out why CDK isn't able to perform its most basic function. I am not sure why there is resistance to adding something like "--permissions-boundary-policy={arn}" argument to bootstrap.

[blacktom96]

--permissions-boundary-policy={arn} it work for me
thank you