feat(cli): add sts:TagSession permission to trusted accounts on bootstrap (#762)

## Description

Accounts bootstrapped with `--trust` or `--trust-for-lookup` need
`sts:TagSession` permissions in AssumeRolePolicy.

I got errors during `cdk deploy` run in CD pipelines executed on EKS
cluster on the trusted account.

Error message:
Could not assume role in target account using current credentials (which
are for account `<TRUSTED_ACCOUT>`) User:
`arn:aws:sts::<TRUSTED_ACCOUT>:assumed-role/<eks-pod-role>` is not
authorized to perform: `sts:TagSession` on resource:
`arn:aws:iam::<TARGET_ACCOUNT>:role/cdk-hnb659fds-lookup-role-<TARGET_ACCOUNT>-us-east-1`

Troubleshooting revealed that DeploymentActionRole, FilePublishingRole,
ImagePublishingRole, LookupRole don't have `sts:TagSession`. After
updating AssumeRolePolicy `cdk deploy` worked normally.

Fixes aws/aws-cdk#31557

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

Author: antonu17

packages/@aws-cdk/toolkit-lib/test/api/bootstrap/bootstrap2.test.ts

@@ -3,6 +3,8 @@
 import * as deployStack from '../../../lib/api/deployments/deploy-stack';
 import type { Stack } from '@aws-sdk/client-cloudformation';
 import { CreatePolicyCommand, GetPolicyCommand } from '@aws-sdk/client-iam';
+import { Match, Template } from 'aws-cdk-lib/assertions';
+
 import {
   mockBootstrapStack,
   mockIAMClient,
@@ -642,4 +644,93 @@ describe('Bootstrapping v2', () => {
       },
     );
   });
+
+  describe('contains sts:TagSession on trusted accounts', () => {
+    let template: Template;
+
+    const iamRoleName = (name: string) => {
+      return {
+        'Fn::Sub': `cdk-\${Qualifier}-${name}-\${AWS::AccountId}-\${AWS::Region}`,
+      };
+    };
+
+    const statementWithCondition = (conditionName: string) => {
+      return Match.objectLike({
+        'Fn::If': Match.arrayWith([
+          conditionName,
+          Match.objectLike({
+            Action: Match.arrayWith(['sts:AssumeRole', 'sts:TagSession']),
+          }),
+        ]),
+      });
+    };
+
+    beforeEach(async () => {
+      let rawTemplate: any;
+      mockDeployStack.mockImplementation((args: deployStack.DeployStackOptions) => {
+        rawTemplate = args.stack.template;
+        return Promise.resolve({
+          type: 'did-deploy-stack',
+          noOp: false,
+          outputs: {},
+          stackArn: 'arn:stack',
+        });
+      });
+      await bootstrapper.bootstrapEnvironment(env, sdk, {});
+      template = Template.fromJSON(rawTemplate);
+    });
+
+    test('in the FilePublishingRole', async () => {
+      template.hasResource('AWS::IAM::Role', {
+        Properties: {
+          RoleName: iamRoleName('file-publishing-role'),
+          AssumeRolePolicyDocument: {
+            Statement: Match.arrayWith([
+              statementWithCondition('HasTrustedAccounts'),
+            ]),
+          },
+        },
+      });
+    });
+
+    test('in the ImagePublishingRole', async () => {
+      template.hasResource('AWS::IAM::Role', {
+        Properties: {
+          RoleName: iamRoleName('image-publishing-role'),
+          AssumeRolePolicyDocument: {
+            Statement: Match.arrayWith([
+              statementWithCondition('HasTrustedAccounts'),
+            ]),
+          },
+        },
+      });
+    });
+
+    test('in the LookupRole', async () => {
+      template.hasResource('AWS::IAM::Role', {
+        Properties: {
+          RoleName: iamRoleName('lookup-role'),
+          AssumeRolePolicyDocument: {
+            Statement: Match.arrayWith([
+              statementWithCondition('HasTrustedAccountsForLookup'),
+              statementWithCondition('HasTrustedAccounts'),
+            ]),
+          },
+        },
+      });
+    });
+
+    test('in the DeploymentActionRole', async () => {
+      template.hasResource('AWS::IAM::Role', {
+        Properties: {
+          RoleName: iamRoleName('deploy-role'),
+          AssumeRolePolicyDocument: {
+            Statement: Match.arrayWith([
+              statementWithCondition('HasTrustedAccounts'),
+            ]),
+          },
+        },
+      });
+    });
+  });
 });

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -310,7 +310,9 @@ Resources:
                 Ref: AWS::AccountId
           - Fn::If:
               - HasTrustedAccounts
-              - Action: sts:AssumeRole
+              - Action:
+                  - sts:AssumeRole
+                  - sts:TagSession
                 Effect: Allow
                 Principal:
                   AWS:
@@ -340,7 +342,9 @@ Resources:
                 Ref: AWS::AccountId
           - Fn::If:
               - HasTrustedAccounts
-              - Action: sts:AssumeRole
+              - Action:
+                  - sts:AssumeRole
+                  - sts:TagSession
                 Effect: Allow
                 Principal:
                   AWS:
@@ -370,15 +374,19 @@ Resources:
                 Ref: AWS::AccountId
           - Fn::If:
               - HasTrustedAccountsForLookup
-              - Action: sts:AssumeRole
+              - Action:
+                  - sts:AssumeRole
+                  - sts:TagSession
                 Effect: Allow
                 Principal:
                   AWS:
                     Ref: TrustedAccountsForLookup
               - Ref: AWS::NoValue
           - Fn::If:
               - HasTrustedAccounts
-              - Action: sts:AssumeRole
+              - Action:
+                  - sts:AssumeRole
+                  - sts:TagSession
                 Effect: Allow
                 Principal:
                   AWS:
@@ -485,7 +493,9 @@ Resources:
                 Ref: AWS::AccountId
           - Fn::If:
               - HasTrustedAccounts
-              - Action: sts:AssumeRole
+              - Action:
+                  - sts:AssumeRole
+                  - sts:TagSession
                 Effect: Allow
                 Principal:
                   AWS: