Open
Description
Describe the bug
Creating the file role currently looks like this, and the problem is that everyone in the account can assume this file role, and write to that S3 bucket. If the deploy role is provided we can use that instead.
private ensureFileRole() {
if (this.providedFileRole) {
// Override
this.fileRoleManifestArn = this.providedFileRole._arnForCloudAssembly();
const cfnArn = this.providedFileRole._arnForCloudFormation();
this.fileRole = cfnArn ? iam.Role.fromRoleArn(this, 'CdkFileRole', cfnArn) : undefined;
return;
}
const roleName = this.fileRoleName;
this.fileRole = new iam.Role(this, 'CdkFileRole', {
roleName,
assumedBy: new iam.AccountPrincipal(this.account),
});
this.fileRoleManifestArn = Stack.of(this).formatArn({
partition: '${AWS::Partition}',
region: '', // iam is global
service: 'iam',
resource: 'role',
resourceName: roleName,
arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
});
}The workaround to this is to just supply your own file role in this.providedFileRoles
Expected Behavior
n/a
Current Behavior
n/a
Reproduction Steps
n/a
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
latest
Framework Version
No response
Node.js Version
Node 18
OS
Mac
Language
Typescript
Language Version
No response
Other information
No response