aws-cdk-lib: NestedStacks dont perform lookups on a cross-account setup

[IgnacioAcunaF]

Describe the bug

When setting a cross-account CDK project, if one of the Stacks being deployed on a target account (different than the deployment account) has a NestedStacks which needs to perform a lookup operation (for example, to create a VPC), then CDK is having credential issues, not being able of doing those lookups and interrupting the synth process.

This is because the NestedStack's synthesizer doesn't receive the lookupRoleArn from the parent stack synthesizer, so the NestedStack tries with local credentials (of the deployment account) instead of assuming a cross-account role (on the target account) as regular non-nested Stack would do.

A workaround for this is to manually define the required context on cdk.context.json so CDK doesn't try to fetch the information.

This is of special interest on CDK's projects being deployed by cdk-pipelines

Expected Behavior

An CDK's NestedStack should have the parent's lookupRoleArn so it can perform a succesful lookup and add the information to the context provider.

Current Behavior

When trying an cdk synth, the following error is being thrown:

[Error at /PipelineStack/App/AppStack/Nested-Stack] Need to perform AWS calls for account XXXXXXXX, but the current credentials are for YYYYYYYY

Where YYYYYYY is the deployment account (where the synth is being made) and XXXXXXXX is the target account.

Reproduction Steps

pipeline.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { PipelineStack } from '../lib/pipeline-stack';

const app = new cdk.App();
new PipelineStack(app, 'PipelineStack', {
  /* If you don't specify 'env', this stack will be environment-agnostic.
   * Account/Region-dependent features and context lookups will not work,
   * but a single synthesized template can be deployed anywhere. */

  /* Uncomment the next line to specialize this stack for the AWS Account
   * and Region that are implied by the current CLI configuration. */
  // env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },

  /* Uncomment the next line if you know exactly what Account and Region you
   * want to deploy the stack to. */
  env: { account: '123456789012', region: 'us-east-1' },

  /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
});

pipeline-stack.ts

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { CodePipeline, CodePipelineSource, ShellStep } from 'aws-cdk-lib/pipelines';

const env = { account: '1234567890', region: 'us-east-1' };

export class PipelineStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    
    const pipeline = new CodePipeline(this, 'Pipeline', {
      pipelineName: 'Pipeline',
      crossAccountKeys: true,
      synth: new ShellStep('Synth', {
        input: CodePipelineSource.gitHub('OWNER/REPO', 'main'),
        commands: ['npm ci', 'npm run build', 'npx cdk synth']
      })
    });
    
    pipeline.addStage(new AppStage(this, "App", {
      env: env
    }));
    
  }
}

export class AppStage extends cdk.Stage {
    constructor(scope: Construct, id: string, props?: cdk.StageProps) {
      super(scope, id, props);

      const lambdaStack = new AppStack(this, 'AppStack');
    }
}


export class AppStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    
    const nested = new NestedStack(this);
  }
}

class NestedStack extends cdk.NestedStack {
  constructor(scope: Construct) {
    super(scope, 'Nested-Stack');
    const vpc = new ec2.Vpc(this, 'VPC_nested', {
      ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
    })
  }
}

Possible Solution

Add the variable lookupRoleArn on the Synthesizers Interfaces and invoke the function synthesizeTemplate of class NestedStackSynthesizer accordingly

Additional Information/Context

No response

CDK CLI Version

2.79.1 (build 2e7f8b7)

Framework Version

No response

Node.js Version

v16.20.0

OS

Amazon Linux 2

Language

Typescript, Python

Language Version

No response

Other information

#21690

[peterwoodworth]

Thanks for the report and the PR! I'm closing this as a duplicate of #25171

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[IgnacioAcunaF]

@peterwoodworth sorry, didn't see that PR.
Thanks for noticing!