(cdk-diff): >=2.11.0 not authorized to perform: cloudformation:ListStackResources

[natevick]

General Issue

cdk-[QUALIFIER]-deploy-role-[ACCOUNT]-[REGION]/aws-cdk-node is not authorized to perform: cloudformation:ListStackResources

The Question

Prior to 2.11.0 running diff just worked without errors or abnormal output. Starting at 2.11.0 and all the way through 2.15.0 I get cdk-[QUALIFIER]-deploy-role-[ACCOUNT]-[REGION]/aws-cdk-node is not authorized to perform: cloudformation:ListStackResources.

The bootstrap version is 10.
There is a lookup role in IAM.
The trusted account and trusted lookup account is the primary/only account involved in the project.
The project was started at 2.1.0.

I'm not sure what to ask at this point, but I'm currently stuck at 2.10.0.

CDK CLI Version

2.11.0

Framework Version

No response

Node.js Version

16.13.1

OS

Debian Bullseye 11.1

Language

Typescript

Language Version

4.5.2

Other information

I did note this merged PR but I believe that came into CDK at 2.7.0.

[groner]

I'm also seeing this error with cdk diff (I didn't try deploy) starting in 2.10.0. The cdk bootstrap version here is also 10.

[peterwoodworth]

Wonder if it was this PR?

[comcalvi]

Thanks for the issue @nvick @groner, could you provide a reproduction stack? Do you have issues with just diff, or is it both diff and deploy?

[natevick]

I'll see if I can put something together that is reproducible this evening. Thanks @comcalvi

[natevick]

import { Stack, StackProps } from 'aws-cdk-lib'
import { Construct } from 'constructs'
import * as ec2 from 'aws-cdk-lib/aws-ec2'
import * as eks from 'aws-cdk-lib/aws-eks'

export class CdkStackDiffIssuesStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const cluster = new eks.Cluster(this, 'staging-eks', {
      clusterName: 'staging',
      version: eks.KubernetesVersion.V1_21,
      defaultCapacity: 0,
      albController: {
        version: eks.AlbControllerVersion.V2_3_0
      }
    })

    cluster.addNodegroupCapacity('staging-node-group', {
      instanceTypes: [new ec2.InstanceType('t3.large')],
      minSize: 1,
      maxSize: 10
    })
  }
}

If I run cdk diff with the above stack on version 2.10.0 no errors, but if I run it with 2.11.0-2.16.0 I get the error.

[natevick]

I just verified with my reproduction stack it is only diff.

[natevick]

@comcalvi I also pushed this to a repo with a devcontainer configuration. https://github.com/nvick/cdk-stack-diff-issues

[comcalvi]

@nvick I'm unable to reproduce this error on CDK version 2.20.0, 2.10.0, or 2.11.0. I've ran cdk diff against the stack undeployed and after deploying it, with a minor change. I have not been able to reproduce any errors. I haven't been able to reproduce it from the repo you linked either. Can you share specific instructions to reproduce the error?

[natevick]

Sure @comcalvi!

• Fork above repo
• Start Codespace
• Run aws configure
• Run npm install
• Run cdk diff note full diff output
• Run npm install -g aws-cdk@2.11.0
• Run cdk diff note error
• Run npm install -g aws-cdk
• Run cdk diff not error

[comcalvi]

Thanks @nvick this reproduces the error. I'll be investigating this issue to determine root cause later.

[comcalvi]

@nvick The source of the error is the version of aws-cdk-lib in your package.json. In here:

  "devDependencies": {
    // ...
    "aws-cdk": "^2.11.0",
    // ...
  },
  "dependencies": {
    "aws-cdk-lib": "2.3.0",
     // ...
  }

if you change 2.3.0 to 2.11.0 and run npm install, then the error no longer occurs. I'm leaving this issue open so we can fix the error message, but that should unblock you.

[natevick]

Thanks @comcalvi! I'll try it and let you know if I run into anything else. Thanks for taking the time.

[comcalvi]

Any version pair that satisfies this condition:

    "aws-cdk" >= "2.11.0"
    "aws-cdk-lib" <= "2.6.0"

causes the bug. It's because #18207 (introduced in 2.11.0) depends on #18277 (introduced in 2.7.0). The consequence is that aws-cdk >= 2.11.0 depend on aws-cdk-lib >= 2.7.0.

[toduythienluong]

I'm also seeing this error with cdk diff (I didn't try deploy) starting in 2.10.0. The cdk bootstrap version here is also 10.

I also got with cdk diff, how to fix it?

[ricardosllm]

I also had this issue, fixed in the interim by adding the policy to the role explicitly, in this case AWSCloudFormationReadOnlyAccess

[toduythienluong]

I also had this issue, fixed in the interim by adding the policy to the role explicitly, in this case AWSCloudFormationReadOnlyAccess

thanks, that fixes

[aarondodd]

Same, CDK v2 doesn't let me do cdk diff until I add AWSCloudFormationReadOnlyAccess to the role. Deploy has been working fine, though.

[setu4993]

+1, hitting the same issue with the latest versions of CDK.

[jhkcia]

I also have this problem with last version of aws-cdk

[mrgrain]

This has long been resolved in recent version of CDK. Make sure you update to a recent version for all bugfixes. Also ensure you are using the latest bootstrap version. Closing this here. If anyone is still encountering the issue with up-to-date versions, please open a new issue.