Is there a standard, official way of referencing the AWS CDK bootstrap qualifier or bootstrap resources like the assets bucket?

[bericp1]

I'm using CDK itself to create fine-grained IAM policies for an execution role that will be used in CI and passed to the CDK CLI via the -r parameter. I'm creating this role in a different CDK stack using the same bootstrap in the same AWS account.

The issue I'm running into is that I need to allow this execution role access to certain resources that are part of the CDK-bootstrapped resources.

The majority of the interaction with the CDK-bootstrapped resources is done via the CDK CLI assuming various roles created by the bootstrap stack which works fine, however some CDK resources need to be accessed for certain operations by the cloudformation execution role that I'm passing to the cli via the -r flag.

For example according to athena+cloudtrail, it needs to be able to get the CDK bootstrap version parameter (for what, I'm not sure, presumably because it's referenced in the metadata of the cloud-formation template?):

And when building lambda functions and updating their code, even though a different role is used to actually update the code, the execution role still appears to need to decrypt in the context of the asset (presumably to be able to provide an asset as a lambda function's code? it doesn't seem to need GetObject though for it):

Right now to get around this I'm doing this at the top-level of my stack and passing it down but it's not entirely clear to me if this will work if we switch to using a custom qualifier?

import { Stack, StackProps, DefaultStackSynthesizer } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class ITStack extends Stack {
  constructor(scope: Construct, props?: StackProps) {
    const qualifier = props?.synthesizer?.bootstrapQualifier || DefaultStackSynthesizer.DEFAULT_QUALIFIER;
    // ...
  }
}

I fallback to DEFAULT_QUALIFIER because rather surprisingly without it, either synthesizer or bootstrapQualifier is undefined (hence my hesitancy to trust that this would even work if someone were to provide a custom --qualifier).

If I straight up try to use ${Qualifier} as a template variable in the resource of an IAM policy, I get:

Digging into the interfaces a bit, I noticed that even if I narrow the type of props.synthesizer to DefaultStackSynthesizer, that the calculated bucket name containing the qualifier etc are all private:

Any way to reference the qualifier or resources like the bootstrap assets bucket dynamically?

[bericp1]

Edit: never mind, 180 again, this doesn't work :( it just leaves the literal ${Qualifier} in the ARN:

---

🤦🏻

This was my mistake. Using literally ${Qualifier} does work. I just didn't structure a resource ARN as an ARN, hence the error shown above. So referencing these static constants on the DefaultStackSynthesizer, e.g.:

DefaultStackSynthesizer.DEFAULT_FILE_ASSETS_BUCKET_NAME
DefaultStackSynthesizer.DEFAULT_BOOTSTRAP_STACK_VERSION_SSM_PARAMETER
etc.

Works, you just need to make sure to structure them as an ARN when referencing them in contexts that require ARNs.

[james-spears]

I would also like to know if this is possible

[gossandr]

I, too, would like to know if this is possible. Mostly to get the name of the bootstrap-created artifacts bucket so that I can put this in a policy

[openmarmot]

edit - this returns none, so i'm getting the default option. not sure if this would work with a custom qualifier or not

I had to get the qualifier to assemble a ecr repo. It feels like there is a better way to do this but it seems to have worked..
(python)
cdk_qualifier = self.node.try_get_context('aws:cdk:qualifier') or 'hnb659fds'
ecr_repo_name = f'cdk-{cdk_qualifier}-container-assets-{account}-{region}'
ecr_repo_arn = Fn.sub('arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/'+ecr_repo_name)

ref : https://docs.aws.amazon.com/cdk/v2/guide/get_context_var.html