core: permissions boundary not being applied to custom resource role

[adamtimmins]

Describe the bug

I'm deploying a stack through CDK pipelines and have a permissions boundary configured within cdk.json. Every role is being configured app wide with the permissions boundary apart from one which seems to be created by CDK itself for my AwsCustomResource.

Expected Behavior

I expect the permissions boundary to be applied the CDK application app wide and not miss any roles deployed by the CDK application

Current Behavior

The CDK created role is failing to add the permissions boundary to the application.

Reproduction Steps

CDK pipelines is being deployed using bootstrapped roles with a custom qualifier and where the permission boundary is required.

synth_object = cdk.DefaultStackSynthesizer(
    qualifier=config["cdk_synth_qualifier"],
)

AwsCustomResource

response = AwsCustomResource(
    self,
    "describe-enis",
    on_update={
        "service": "EC2",
        "action": "describeNetworkInterfaces",
        "output_paths": output_paths,
        "parameters": {"NetworkInterfaceIds": eni_ids},
        "physical_resource_id": PhysicalResourceId.of(str(random.random())),
    },
    policy=AwsCustomResourcePolicy.from_statements(
        statements=[
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=["ec2:DescribeNetworkInterfaces"],
                resources=["*"],
            ),
        ],
    ),
)

The role in question not being provided the permission boundary
AWSCDKCfnUtilsProviderCustomResourceProviderRoleFE0EE867

"AWSCDKCfnUtilsProviderCustomResourceProviderRoleFE0EE867": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Version": "2012-10-17",
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "lambda.amazonaws.com"
       }
      }
     ]
    },
    "ManagedPolicyArns": [
     {
      "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
     }
    ]
   },

The cdk.json config

"@aws-cdk/core:permissionsBoundary": {
      "name": "cdk-permissions-boundary-policy"
    }

Possible Solution

No response

Additional Information/Context

I have tried adding the permission boundary to the stack itself, as well as the custom resource itself following the documentation here: https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_iam/README.html#permissions-boundaries

I have also tried creating a custom aspect to add the stack and the stage but none of these worked either:
#3242 (comment)

CDK CLI Version

2.141.0

Framework Version

No response

Node.js Version

v22.1.0

OS

Sonoma 14.2.1

Language

Python

Language Version

3.12.3

Other information

No response

[khushail]

Hi @adamtimmins , thanks for reaching out. It seems like what you are mentioning here is quite similar to the bug described here and this reasoning and further explanation might be helpful to understand why.

Please feel free to reach out if its not helpful or different than what you are implying.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[dliu864]

Hi,

Could we please have this bug fixed? Our organization is requiring that we have permission boundaries implemented on all Roles that we create and there is currently no way to add a boundary to AWSCDKCfnUtilsProviderCustomResourceProviderRoleFE0EE867 as mentioned above.

[khushail]

@adamtimmins , Could you please share the the complete repro code.

I also see there is a closed issue similar to the custom role mentioned above - #22972 and many more (#13310) and previous attempts have been made for such similar issues like this PR - #14754. However this still seems like an issue so I am marking this as P1 for the appropriate traction.