My Ci/CD pipeline authenticates with AWS via OIDC and to perform cdk operations I need to assume role with sufficient credentials
I do not want this role to have AdministratorAccess policy
But can't find any recommendation re aws-predefined policies or custom policies should be used for CDK
CDK creates bunch of roles during initialization, maybe I need only allow to assume them?
The same time I cannot create policy to allow assume all cdk-* roles as wildcards are not supported in Principal - can you please provide any recommendations?