cdk diff: in 2.134.0 diff fails if deploy cannot be assumed #29650
Description
Describe the bug
In our CI we have a readonly role with access to the lookup role, but not the deploy role for non protected branches.
In version 2.133.0 running diff works - in 2.134.0 we get a crash.
For now we fixed it by pinning the previous version.
Expected Behavior
Diffing with a role which can assume the lookup role works
Current Behavior
Diffing with a role which cannot assume deploy fails.
current credentials could not be used to assume '<deploy role>' but are for the right account. Proceeding anyway.
User: <ci_role> is not authorized to perform: cloudformation:DescribeStacks on <stack> because no identity-based policy allows the cloudformation:DescribeStacks action
Not clear what's happening here - I guess after failing to assume the deploy role the current role is the ci role which attempted to assume deploy, and then after DescribeStacks is called.
Reproduction Steps
I don't think I can easily provide this, since you would need to set up the same roles, stacks, etc. This does work with a higher privilege role, which indicates it's to do with the role assumption.
- Bootstrapped CDK
- CDK setup (we use Go, but it seems very clearly to be a permission issue).
- Run
cdk diff --all --ci
Possible Solution
Ensure that the lookup role is still used after trying to assume the deploy role and failing.
Additional Information/Context
No response
CDK CLI Version
v2.134.0
Framework Version
No response
Node.js Version
20
OS
Darwin
Language
Go
Language Version
1.22
Other information
No response