How to use External ID when deploying cross-stack using CDK Pipeline?

[thematheusgomes]

I've been attempting to configure the external ID on my target account in order to deploy changes across accounts using my CI/CD account. Despite configuring the DefaultStackSynthesizer manually in the CDK pipeline code, I consistently receive the error 'Access Denied' during the CloudFormation prepare and deploy step.

Error code: Insufficient permissions
Error message: The provided role cannot be assumed: 'Access denied when attempting to assume the role 'arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-us-east-1''

I believe that CDK Bootstrap should support the configuration of the external ID. To work around this, I needed to create a script to bootstrap and then modify the trust relationship policy to include the external ID.

As I understand it, since the CDK pipeline uses the CloudFormation action pointing to the roleArn arn:aws:iam::111111111111:role/cdk-hnb659fds-cfn-exec-role-111111111111-us-east-1, it's not possible to pass the external ID in this step.

The only solution I can see is to create a pipeline without using this high-level constructor to call the CDK deploy command manually in the codebuild step. Then, CDK should use the DefaultStackSynthesizer configuration (that has the external id configuration) to pass the external ID when deploying the stack.

However, CDK should ideally support this functionality using their own pipeline constructor. If anyone has encountered a similar situation or has any ideas on how to solve this, please let me know.

Thanks.

[prashant-bhandarkar-fikuro]

i had a similar problem with the pipeline defined using cloudformation. Its executes a DEPLOY step to perform a cross account execution of change set. I can specify only the RoleArn but not the external id.