core: permissions boundary not being applied to custom resource role #30179
Labels
@aws-cdk/core
Related to core CDK functionality
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p1
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Describe the bug
I'm deploying a stack through CDK pipelines and have a permissions boundary configured within
cdk.json
. Every role is being configured app wide with the permissions boundary apart from one which seems to be created by CDK itself for myAwsCustomResource
.Expected Behavior
I expect the permissions boundary to be applied the CDK application app wide and not miss any roles deployed by the CDK application
Current Behavior
The CDK created role is failing to add the permissions boundary to the application.
Reproduction Steps
CDK pipelines is being deployed using bootstrapped roles with a custom qualifier and where the permission boundary is required.
AwsCustomResource
The role in question not being provided the permission boundary
AWSCDKCfnUtilsProviderCustomResourceProviderRoleFE0EE867
The
cdk.json
configPossible Solution
No response
Additional Information/Context
I have tried adding the permission boundary to the stack itself, as well as the custom resource itself following the documentation here: https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_iam/README.html#permissions-boundaries
I have also tried creating a custom aspect to add the stack and the stage but none of these worked either:
#3242 (comment)
CDK CLI Version
2.141.0
Framework Version
No response
Node.js Version
v22.1.0
OS
Sonoma 14.2.1
Language
Python
Language Version
3.12.3
Other information
No response
The text was updated successfully, but these errors were encountered: