mid work

packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts

@@ -463,7 +463,7 @@ export class DefaultStackSynthesizer extends StackSynthesizer implements IReusab
    * Synthesize the stack template to the given session, passing the configured lookup role ARN
    */
   protected synthesizeStackTemplate(stack: Stack, session: ISynthesisSession) {
-    stack._synthesizeTemplate(session, this.lookupRoleArn, this.props.lookupRoleAdditionalOptions);
+    stack._synthesizeTemplate(session, this.lookupRoleArn, this.props.lookupRoleExternalId, this.props.lookupRoleAdditionalOptions);
   }
 
   /**
@@ -490,7 +490,8 @@ export class DefaultStackSynthesizer extends StackSynthesizer implements IReusab
       this.addBootstrapVersionRule(this._requiredBootstrapVersionForDeployment, this.bootstrapStackVersionSsmParameter!);
     }
 
-    const templateAssetSource = this.synthesizeTemplate(session, this.lookupRoleArn, this.props.lookupRoleAdditionalOptions);
+    const templateAssetSource = this.synthesizeTemplate(session, this.lookupRoleArn,
+      this.props.lookupRoleExternalId, this.props.lookupRoleAdditionalOptions);
     const templateAsset = this.addFileAsset(templateAssetSource);
 
     const assetManifestId = this.assetManifest.emitManifest(this.boundStack, session, {

packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts

@@ -107,9 +107,11 @@ export abstract class StackSynthesizer implements IStackSynthesizer {
    * the credentials will be the same identity that is doing the `UpdateStack`
    * call, which may not have the right permissions to write to S3.
    */
-  protected synthesizeTemplate(session: ISynthesisSession, lookupRoleArn?: string,
+  protected synthesizeTemplate(session: ISynthesisSession,
+    lookupRoleArn?: string,
+    lookupRoleExternalId?: string,
     lookupRoleAdditionalOptions?: { [key: string]: any }): FileAssetSource {
-    this.boundStack._synthesizeTemplate(session, lookupRoleArn, lookupRoleAdditionalOptions);
+    this.boundStack._synthesizeTemplate(session, lookupRoleArn, lookupRoleExternalId, lookupRoleAdditionalOptions);
     return stackTemplateFileAsset(this.boundStack, session);
   }
 

packages/aws-cdk-lib/core/lib/stack.ts

@@ -1061,7 +1061,10 @@ export class Stack extends Construct implements ITaggable {
    * Synthesizes the cloudformation template into a cloud assembly.
    * @internal
    */
-  public _synthesizeTemplate(session: ISynthesisSession, lookupRoleArn?: string, lookupRoleAdditionalOptions?: { [key: string]: any }): void {
+  public _synthesizeTemplate(session: ISynthesisSession,
+    lookupRoleArn?: string,
+    lookupRoleExternalId?: string,
+    lookupRoleAdditionalOptions?: { [key: string]: any }): void {
     // In principle, stack synthesis is delegated to the
     // StackSynthesis object.
     //
@@ -1104,7 +1107,17 @@ export class Stack extends Construct implements ITaggable {
     fs.writeFileSync(outPath, templateData);
 
     for (const ctx of this._missingContext) {
-      builder.addMissing({ ...ctx, props: { ...ctx.props, lookupRoleArn, lookupRoleAdditionalOptions } });
+
+      // 'account' and 'region' are added to the schema at tree instantiation time.
+      // these options however are only known at synthesis, so are added here.
+      // see https://github.com/aws/aws-cdk/blob/v2.158.0/packages/aws-cdk-lib/core/lib/context-provider.ts#L71
+      const queryLookupOptions: Omit<cxschema.ContextLookupRoleOptions, 'account' | 'region'> = {
+        lookupRoleArn,
+        lookupRoleExternalId,
+        assumeRoleAdditionalOptions: lookupRoleAdditionalOptions,
+      };
+
+      builder.addMissing({ ...ctx, props: { ...ctx.props, ...queryLookupOptions } });
     }
   }
 

packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts

@@ -368,7 +368,7 @@ export class SdkProvider {
     externalId: string | undefined,
     additionalOptions: AssumeRoleAdditionalOptions | undefined,
     region: string | undefined) {
-    debug(`Assuming role '${roleArn}' with additional options: ${JSON.stringify(additionalOptions ?? {}, null, 2)}.`);
+    debug(`Assuming role '${roleArn}'.`);
 
     region = region ?? this.defaultRegion;
     const creds = new AWS.ChainableTemporaryCredentials({