0

My Ci/CD pipeline authenticates with AWS via OIDC and to perform cdk operations I need to assume role with sufficient credentials

I do not want this role to have AdministratorAccess policy

But can't find any recommendation re aws-predefined policies or custom policies should be used for CDK

CDK creates bunch of roles during initialization, maybe I need only allow to assume them?

The same time I cannot create policy to allow assume all cdk-* roles as wildcards are not supported in Principal - can you please provide any recommendations?

Wile E.
  • 1,213
  • 1
  • 12
  • 26
  • It is VERY difficult to create restrictive policies, e.g. CDK might need to create a role for Lambda to run and ensuring *that* role has only very limited access is difficult to impossible. This is *especially* true for CDK (vs. bare CFN) due to the large amount of custom resources it relies on, and therefore the lambdas underneath. – luk2302 Jul 30 '23 at 10:28
  • For granting permission to assume the cdk roles, this [post](https://stackoverflow.com/questions/57118082/what-iam-permissions-are-needed-to-use-cdk-deploy) might help. – SwathiP Jul 30 '23 at 10:30

0 Answers0