(cli): bootstrap should create role for cdk CLI to assume when doing cross account deploys

[redbaron]

Use Case

cdk CLI makes calls to a target account using either current credentials or credentials obtained from a plugin. Because single CDK app can deploy to multiple accounts, current credentials won't work and it is required to assume role in every target account. cdk-assume-role-credential-plugin helps to make assume role seamless, but there is currently no such role created by the bootstrap process and separate out of band role creation required.

Proposed Solution

Bootstrap process shouls create a new role in a target account, with enough permissions to do following:

• assume existing bootstrap roles for deploy, image upload and file upload
• allow resource lookups in the target account

cdk-assume-role-credential-plugin can then be configured to use that role, making cross account deploys easier to implement.

Other

Existing roles for deploy, image assets and file assets allow establishing trust relationship with account where deploys should be running from, but it is not clear how exactly that cross account trust should be used. CDK CLI assumes these roles at various stages, but prior to it validates, that account it is running from matches account we are deploying to , aborting execution if they don't. This makes bootstrap --trust half complete.

If proposed feature is implemented, there will be not cross account sts:AsumeRole calls for these roles, only for the new one.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[rix0rrr]

Duplicate of #11792, #8905, #9597

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.