aws-iam: Unable to use sts:AssumeRoleWithWebIdentity to assume a role

[RichardoC]

Describe the bug

Due to

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/role.ts

Line 373 in 9acd528

public readonly assumeRoleAction: string = 'sts:AssumeRole';

the principal used will always be able to use the sts:AssumeRole action, even if the desired behaviour is only to allow sts:AssumeRoleWithWebIdentity.

This matters when using OIDC to assume a role over on AWS as you should only be able to do sts:AssumeRoleWithWebIdentity

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Users would be able to set which assumeRoleAction they want to use, as documented in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html#:~:text=Description-,assumeroleaction,-string

Current Behavior

assumeRoleAction is always sts:AssumeRole

Reproduction Steps

Create a role

 const githubActionsRole = new cdk.aws_iam.Role(this, "GithubActionsRole", {
      roleName: "GithubActionsRole", // Must be static to make cross account auth easier
      assumedBy: new cdk.aws_iam.PrincipalWithConditions(
        new cdk.aws_iam.FederatedPrincipal(
          `arn:aws:iam::${this.account}:oidc-provider/token.actions.githubusercontent.com`
        ),
        // It's important that this role is locked down to only our github orgs, as otherwise anyone on github could use permissions on our AWS infrastructure.
        {
          StringEquals: {
            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          },
          StringLike: {
            "token.actions.githubusercontent.com:sub": "repo:example-organisation/*", // This currently allows all repos in the tesslio github org to assume this role.
          },
        }

      ),
    });```

Then look at the AWS console, and see that the assumeRoleAction is "sts:AssumeRole" rather than the required "sts:AssumeRoleWithWebIdentity" and there's no current way to set this.

### Possible Solution

_No response_

### Additional Information/Context

_No response_

### CDK CLI Version

2.147.3 (build 32f0fdb)

### Framework Version

_No response_

### Node.js Version

20.16.0

### OS

macOS 14.3 (23D56)

### Language

TypeScript

### Language Version

_No response_

### Other information

_No response_

[RichardoC]

Not needed, instead use the following
specifically "WebIdentityPrincipal"

 const githubActionsRole = new cdk.aws_iam.Role(this, "GithubActionsRole", {
      roleName: "GithubActionsRole", // Must be static to make cross account auth easier
      assumedBy: new cdk.aws_iam.PrincipalWithConditions(
        new cdk.aws_iam.WebIdentityPrincipal(
          `arn:aws:iam::${this.account}:oidc-provider/token.actions.githubusercontent.com`
        ),
        // It's important that this role is locked down to only our github orgs, as otherwise anyone on github could use permissions on our AWS infrastructure.
        {
          StringEquals: {
            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          },
          StringLike: {
            "token.actions.githubusercontent.com:sub": "repo:example-organisation/*", // This currently allows all repos in the tesslio github org to assume this role.
          },
        }

      ),
    });

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.