Describe the feature
When using the AwsCustomeResource construct, it's possible to pass in a role to be assumed while making the SDK call in order to support cross-account use cases. When assuming a role, STS also support passing in an externalId as a confused deputy control. See these docs for more context. The AwsCustomeResource construct should accept and use an optional external ID when assuming roles.
Use Case
Assuming a role in another account which requires an external ID.
Proposed Solution
I raised a PR to implement the change which I think is straightforward. I couldn't get the integ tests to pass after a couple hours of trying though, so I'm going to move on: https://github.com/aws/aws-cdk/pull/13916/files
Other Information
No response
Acknowledgements
CDK version used
2.187
Environment details (OS name and version, etc.)
n/a
Describe the feature
When using the AwsCustomeResource construct, it's possible to pass in a role to be assumed while making the SDK call in order to support cross-account use cases. When assuming a role, STS also support passing in an
externalIdas a confused deputy control. See these docs for more context. The AwsCustomeResource construct should accept and use an optional external ID when assuming roles.Use Case
Assuming a role in another account which requires an external ID.
Proposed Solution
I raised a PR to implement the change which I think is straightforward. I couldn't get the integ tests to pass after a couple hours of trying though, so I'm going to move on: https://github.com/aws/aws-cdk/pull/13916/files
Other Information
No response
Acknowledgements
CDK version used
2.187
Environment details (OS name and version, etc.)
n/a