Avoid Cloudformation Service AssumeRole action

[maikcore]

Hi all, is there a way to avoid the CloudFormation service AssumeRole action and deploy the cfn stack with out role, like when you deploy a cfn stack using the aws cli?
The thing here is that I can't set a trust relationship for the cloudformation service for my role for security issues.

Can do this using CDK? Need to move to another technology? what can I do to resolve this?

Regards!

[dkwgit]

I think what you are asking it not feasible. There is always some set of permissions that cfn operates under. If you deploy a cfn stack from the CLI and do not supply a role, it is still using a set of permission (yours--or the one associated with the programmatic credentials you are using for the CLI). So even there, there are permissions. And for long term sustainable operations, you really want an officially agreed upon role to be how cfn dpeloys. Chances are, you need to negotiate out the permissions with security and have them or a related group create the right role for you. This is right from a security and operations perspective.

[dkwgit]

Also, whatever role or pemissions cfn deploys under, it holds on to. You don't want to not control that. If say you have some kind of Administrative permission set under your personal user at the CLI level, and that's how you deploy, those resources get deployed with that administrative set. Then if somebody else finds a way to modify the stack, they actually "inherit" or benefit from those permissions when they make CF alterations. So you can actually leak your permissions to others if you do not control this via a known role.

[maikcore]

Thank you very much, this can be very helpful in the negotiations with the security team. Regards!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.