MDAA CDK deployment currently does not properly validate cross-account IAM Role ARNs used for cross-account permissions and integrations.
During deployment, the validation logic assumes the role exists within the current AWS account and attempts to validate it directly using account-scoped role lookup/validation mechanisms. This causes deployment failures when a valid cross-account IAM Role ARN is provided.
In cross-account architectures, the role may legitimately exist in a different AWS account and should still be accepted as long as:
- The ARN format is valid
- Trust relationship is configured correctly
- Required permissions are granted
Current Behavior
- Deployment fails when a cross-account role ARN is provided
- Validation logic attempts to resolve or verify the role in the local account
- Cross-account IAM role usage is blocked even when AWS trust policies are correctly configured
Error:
Resource handler returned message: "The role with name fleet-manager-ecs-task-role cannot be found. (Service: Iam, Status Code: 404, Request ID: 800922f9-aab6-495e-8f7f-bf2fd6d97c6a) (SDK Attempt Count: 1)" (RequestToken: bbe44215-e78b-f4d7-d89a-4e02e585ef98, HandlerErrorCode: NotFound)
Expected Behavior
MDAA should:
- Allow valid cross-account IAM Role ARNs
- Validate ARN format (or optionally skip existence validation)
- Support cross-account trust-based integrations without local account role resolution failures
Example
Valid cross-account role ARN:
arn:aws:iam::123456789012:role/fleet-manager-ecs-task-role
Current validation incorrectly assumes the role must exist in the deployment account.
Impact
- Prevents legitimate cross-account deployments
- Blocks multi-account AWS architecture patterns
Suggested Fix
- Update ARN validation logic to support cross-account IAM roles
- Optionally add a flag/configuration to bypass strict local validation for cross-account integrations
MDAA CDK deployment currently does not properly validate cross-account IAM Role ARNs used for cross-account permissions and integrations.
During deployment, the validation logic assumes the role exists within the current AWS account and attempts to validate it directly using account-scoped role lookup/validation mechanisms. This causes deployment failures when a valid cross-account IAM Role ARN is provided.
In cross-account architectures, the role may legitimately exist in a different AWS account and should still be accepted as long as:
Current Behavior
Error:
Resource handler returned message: "The role with name fleet-manager-ecs-task-role cannot be found. (Service: Iam, Status Code: 404, Request ID: 800922f9-aab6-495e-8f7f-bf2fd6d97c6a) (SDK Attempt Count: 1)" (RequestToken: bbe44215-e78b-f4d7-d89a-4e02e585ef98, HandlerErrorCode: NotFound)
Expected Behavior
MDAA should:
Example
Valid cross-account role ARN:
Current validation incorrectly assumes the role must exist in the deployment account.
Impact
Suggested Fix