cdk cli: removing trust, needs --untrust flag and a clarification that this is safe

[microblag]

Describe the issue

I've had a look through the docs, and asked in the discussion section #22067 but unfortunatly didn't get an answer. I'm trying to find out how to remove a trust relationship from one account to another and if it's safe to do this with existing stacks that were using that trust relationship.

I assume editing the parameter in the cloudformation template for the bootstrap would remove the trust relationship but as this is a very manual type of thing to do I'm concerned what the implications might be.

Some documentation of either how to do this (if it's safe/possible) and the ramifications of doing so. Or alternativly, some documentation on this not being possilbe/safe as a caveat to the --trust docs so that users can be aware this is a non-reversable action.

Links

https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

[peterwoodworth]

Thanks for reporting this @microblag, this is an interesting problem.

As far as I can tell, there's no officially supported method to remove a trust relationship from a bootstrap stack. You can normally adjust the trust relationship by redeploying with cdk bootstrap --trust ... and adjusting the accounts you're deploying to, however there's not a clear way to redeploy without any trust because you need to pass in a value when you call the trust option. Since --trust asks for an array, we can pass in a comma as the trust value to indicate an empty array. So, running cdk bootstrap --trust , will eliminate the trust statements from your policies.

We should provide a cleaner option to remove the trust option, and also document this option so that users don't have to pass in a comma. Thanks again for reporting this!

[rix0rrr]

So, running cdk bootstrap --trust , will eliminate the trust statements from your policies.

Are you sure that is true, and did you test this? Because that doesn't sound like an API I would design 😬.

--trust only impacts the AssumeRole policy of the roles in the bootstrap stack, so will prevent future AssumeRoles. It is safe to change the values in the CloudFormation console.

[rix0rrr]

A cdk bootstrap --untrust operation might be helpful to assure people that this is safe to do.

[peterwoodworth]

did you test this?

@rix0rrr I did test this! Though I think that's more a general CLI quirk than something that was intentionally designed for this project?

[HBobertz]

I'm inferring that rico wanted me to verify if cdk bootstrap --trust , actually works and I can confirm that it seems like it does

❯ cdk bootstrap --trust , --cloudformation-execution-policies arn:aws:iam::aws:policy/<policy_name>
current credentials could not be used to assume 'arn:aws:iam::<act_id>:role/cdk-<random_prefix>-lookup-role-<act_id>-us-east-2', but are for the right account. Proceeding anyway.
current credentials could not be used to assume 'arn:aws:iam:<act_id>:role/cdk-<random_prefix>-lookup-role-<act_id>-us-east-2', but are for the right account. Proceeding anyway.
 ⏳  Bootstrapping environment aws://<act_id>/us-east-2...
Trusted accounts for deployment: ,
Trusted accounts for lookup: (none)
Execution policies: arn:aws:iam::aws:policy/<policy_name>
CDKToolkit: creating CloudFormation changeset...
 ✅  Environment aws://<act_id>/us-east-2 bootstrapped.

And it did in fact create the stack so yeah, that works. We probably should still do --untrust though

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.