Security best practices for deploying multiple cdk apps into the same account with fine-grained permissions

[phcyso]

What is the current best practice for deploying multiple CDK v2 apps into the same account using CI?

Previously using v1 we created app-specific roles which our CI tool assumed and apps could be deployed with the exact required permissions.

But with the v2 it appears that it always wants to assume and use roles the bootstrap created ignoring the credentials available in the environment.

I know I can create a custom policy and pass that into the bootstrap command with --cloudformation-execution-policies however that policy will get applied to all CDK apps potentially granting permissions well outside the scope of that app.

The docs are not terribly clear on how to handle this situation.

There appears to be a couple of options like:

• Multiple bootstraps per account each with its own custom execution policy and yet another role to allow assuming the new boostrap roles.
• Using the CliCredentialsStackSynthesizer to use the permissions in the CLI environemnt, is this officially supported?, it's not listed in any AWS docs, other than the API reference.

None of these are as easy as the v1 situation of 'just make a role with minimum permissions per app and assume it before calling cdk deploy'

What is the best way to do this in a CDK v2 world?

[luk2302]

If you use it via const app = new App({ defaultStackSynthesizer: new CliCredentialsStackSynthesizer() }); and grant the current role the right permissions to write into the CDK asset bucket, create and manage CF stacks, etc. then it actually works quite quickly. We created a role with the following inline permission:

// Actual resources managed via CF
new PolicyStatement({
    actions: [
        'ses:CreateEmailTemplate',
        'ses:DeleteEmailTemplate',
        'ses:GetEmailTemplate',
        'ses:ListEmailTemplates',
        'ses:UpdateEmailTemplate',
    ],
    resources: ['*'],
}),
// Manage this and its nested stacks
new PolicyStatement({
    actions: ['cloudformation:*'],
    resources: [
        `arn:aws:cloudformation:*:*:stack/YourStackNameHere`,
        `arn:aws:cloudformation:*:*:stack/YourStackNameHere/*`,
    ],
}),
// Necessary permissions to get CDK to work
new PolicyStatement({
    actions: ['cloudformation:Describe*', 'ssm:GetParameter'],
    resources: ['*'],
}),
new PolicyStatement({
    actions: [
        's3:GetObject*',
        's3:GetBucket*',
        's3:GetEncryptionConfiguration',
        's3:List*',
        's3:DeleteObject*',
        's3:PutObject*',
        's3:Abort*',
    ],
    resources: ['arn:aws:s3:::cdk-*', 'arn:aws:s3:::cdk-*/*'],
}),

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.