question regarding bootstrapping with the modern bootstrap template

[minhio]

If i bootstrap with --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess, are there any benefits to limiting the IAM user (CI/CD pipeline process account) that will be executing cdk deploy to only be able to assume the CDK roles? or does it not matter since the user can deploy anything via cloudformation?

In other words, which is more secure or best practice

• IAM user with assume role permission that can only assume CDK roles
• IAM user with administrator access permission
• Doesn't matter because cfn-exec-role has administrator access

[peterwoodworth]

It's best to lock down permissions anywhere as much as possible. The scope in which the exec role is assumed might not be the same scope in which the user could potentially assume other roles.

Aside from the direct concern, tracking metrics or calls made by certain roles might be an alternate concern

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.