PLFM-8102: Use cdk role #1254
PLFM-8102: Use cdk role #1254
Conversation
| - "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" | ||
| - "arn:aws:iam::aws:policy/IAMFullAccess" | ||
| - "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" | ||
| - "arn:aws:iam::449435941126:policy/cdk-assume-role-policy" |
There was a problem hiding this comment.
Not sure if this is going to cause an error when used in SynapseProd account (where this particular policy does not exist).
There was a problem hiding this comment.
This is a cross-account policy reference, the policy only needs to exist in 449435941126. as long as all of our other accounts have been granted access to this policy, it should be fine
There was a problem hiding this comment.
First, I'm doubtful that this will work. Second, where is this policy created? Third, It's probably not a good practice to depend on a policy from a different account. I recommend not taking this approach, instead you should probably create this policy in every account you plan to deploy this stack to then you can just set ManagedPolicyArns to arn:aws:iam::aws:policy/cdk-assume-role-policy
There was a problem hiding this comment.
This was a temporary test (i.e. not intended for prod use) but @zaro0508 's right, the cdk-assume-role-policy should be created by the 'cdk bootstrap' command in every account, I think it should be referred to as ' arn:aws:iam::${AWS::AccountId}:policy/cdk-assume-role-policy ' since it's user-managed.
Note re: if it works, I created an oidc role manually in the dev account using the policy and was able to use it to update a stack from a GH workflow.
| - "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" | ||
| - "arn:aws:iam::aws:policy/IAMFullAccess" | ||
| - "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" | ||
| - "arn:aws:iam::449435941126:policy/cdk-assume-role-policy" |
There was a problem hiding this comment.
This is a cross-account policy reference, the policy only needs to exist in 449435941126. as long as all of our other accounts have been granted access to this policy, it should be fine
| - "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" | ||
| - "arn:aws:iam::aws:policy/IAMFullAccess" | ||
| - "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" | ||
| - "arn:aws:iam::449435941126:policy/cdk-assume-role-policy" |
There was a problem hiding this comment.
First, I'm doubtful that this will work. Second, where is this policy created? Third, It's probably not a good practice to depend on a policy from a different account. I recommend not taking this approach, instead you should probably create this policy in every account you plan to deploy this stack to then you can just set ManagedPolicyArns to arn:aws:iam::aws:policy/cdk-assume-role-policy
This PR switches from specifying the permissions to using a role created by cdk bootstrap that allows assuming a set of policies covering these permissions (also created by cdk bootstrap).