I believe there is an issue when using the --role-arn (unrelated to my other threads @Frank @thdxr) . I had the following error at some point when deploying in another environment (XXX is my account #) :

AccessDenied: User: arn:aws:sts::XXX:assumed-role/cdk-hnb659fds-deploy-role-XXX-us-west-2/aws-cdk-erik is not authorized to perform: iam:PassRole on resource: arn:aws:iam::XXX:role/DWAM-STAGING-SST-CloudFormation-Role because no identity-based policy allows the iam:PassRole action

I then manually added the passRole to the SST created cdk-hnb659fds-deploy-role-XXX-us-west-2 and things worked. I believe SST should be adding that permission automatically when creating that role.

For sst deployments, are there any new IAM cdk assume role changes needed? My ‘cdk-deploy-*’ role doesn’t have the ability to

Cloudformation:Describe