CDK diff fails due to GetBucketLocation call

[dloez]

I am trying to limit the amount of permissions for a user to run CDK. Reading this fabulous doc page I understand the unique permissions that a user needs to run CDK is to be able to assume the cdk- roles created during the cdk bootstrap. So I created a new user and placed this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<account-id>:role/cdk-*"
            ]
        }
    ]
}

When running cdk diff with the user with the above policy I get the error [100%] fail: Bucket named 'cdk-*-assets-*-*' exists, but not in account <account-id>. Wrong account?. Using cloudtrail and running cdk diff -v I found that the issue happens in the GetBucketLocation request and allowing the user to do s3:GetBucketLocation seems to fix the issue (a new one appears but I guess it is also due to missing permissions).

I did not find this issue earlier as the user I was using during testing has a more permissive set of permissions and I guess I could workaround this issue by adding the missing permissions but, if I understand correctly, with the policy I attached to the user it should be enough as the bootstrapped roles do already have the s3:GetBucket* action. What am I missing? Is this worth to open an issue? I did not want to open an issue until I am certainly that I understand how CDK interacts with the bootstrapped roles and with the identity running the CDK command.

Reading this similar issue I have verified that the CDK bootstrapped roles have the correct policies and are pointing to the correct bucket.

[thecodingtree]

I am seeing the same issue in circleCI, any updates on this?

[madsquist]

I also see this suddenly happening... I used to be able to synth and deploy my stack until January 2024. Now, suddenly I run into this issue. Did something change in the meantime?

[dloez]

Nothing new, the workaround is just to add the missing permissions. I will open an issue as I can see that I am not the only one who has faced this issue.

[mwebber]

Please see issue #29936 and PR #30568