From 4e715b830b7790cab1f4c01361a7c5a72851a297 Mon Sep 17 00:00:00 2001
From: Rico Hermans <rix0rrr@gmail.com>
Date: Fri, 1 Nov 2024 11:43:15 +0100
Subject: [PATCH] refactor: gate access to environment SDK behind new class
 (#31904)

Previously there were methods on the `Deployments` class that made it possible to directly get an SDK from the `SdkProvider` for a particular environment. Calling these methods made it possible to get an SDK without thinking of assuming roles to go into a different account.

This PR introduces a new class, `EnvironmentAccess`, with a couple of public methods that are the only ones allowed to obtain SDKs with credentials. It has the methods:

- accessStackForStackOperations(stack)
- accessStackForLookup(stack)
- accessStackForReading(stack)

These will always respect the role information on the stack.

Ideally there would have been similar methods for assets as well, but the `cdk-assets` library is entirely handling asset roles itself, and it's not in the scope of this PR to change that. That keeps on using a plain `SdkProvider`. Hotswap deployments will also just use CLI credentials and not assume role, so that also keeps on using an `SdkProvider`.

All other uses have moved to `EnvironmentAccess`.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/api/bootstrap/bootstrap-props.ts      |   3 +-
 packages/aws-cdk/lib/api/deploy-stack.ts      |  22 +-
 packages/aws-cdk/lib/api/deployments.ts       | 354 ++++--------------
 .../aws-cdk/lib/api/environment-access.ts     | 272 ++++++++++++++
 .../lib/api/logs/find-cloudwatch-logs.ts      |   9 +-
 .../aws-cdk/lib/api/util/cloudformation.ts    |  12 +-
 packages/aws-cdk/lib/api/util/placeholders.ts |   8 +-
 packages/aws-cdk/lib/util/type-brands.ts      |  44 +++
 .../api/cloudformation-deployments.test.ts    |  31 ++
 packages/aws-cdk/test/cdk-toolkit.test.ts     |  18 +-
 packages/aws-cdk/test/version.test.ts         |   5 +
 11 files changed, 473 insertions(+), 305 deletions(-)
 create mode 100644 packages/aws-cdk/lib/api/environment-access.ts
 create mode 100644 packages/aws-cdk/lib/util/type-brands.ts

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-props.ts b/packages/aws-cdk/lib/api/bootstrap/bootstrap-props.ts
index 47ce8e2a78532..3f01a6ebbbe42 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-props.ts
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-props.ts
@@ -1,4 +1,5 @@
 import { Tag } from '../../cdk-toolkit';
+import { StringWithoutPlaceholders } from '../util/placeholders';
 
 export const BUCKET_NAME_OUTPUT = 'BucketName';
 export const REPOSITORY_NAME_OUTPUT = 'ImageRepositoryName';
@@ -17,7 +18,7 @@ export const DEFAULT_BOOTSTRAP_VARIANT = 'AWS CDK: Default Resources';
  */
 export interface BootstrapEnvironmentOptions {
   readonly toolkitStackName?: string;
-  readonly roleArn?: string;
+  readonly roleArn?: StringWithoutPlaceholders;
   readonly parameters?: BootstrappingParameters;
   readonly force?: boolean;
 
diff --git a/packages/aws-cdk/lib/api/deploy-stack.ts b/packages/aws-cdk/lib/api/deploy-stack.ts
index 16da0447b81f5..fff70866b617c 100644
--- a/packages/aws-cdk/lib/api/deploy-stack.ts
+++ b/packages/aws-cdk/lib/api/deploy-stack.ts
@@ -19,6 +19,7 @@ import { TemplateBodyParameter, makeBodyParameter } from './util/template-body-p
 import { AssetManifestBuilder } from '../util/asset-manifest-builder';
 import { determineAllowCrossAccountAssetPublishing } from './util/checks';
 import { publishAssets } from '../util/asset-publishing';
+import { StringWithoutPlaceholders } from './util/placeholders';
 
 export interface DeployStackResult {
   readonly noOp: boolean;
@@ -51,14 +52,13 @@ export interface DeployStackOptions {
   /**
    * SDK provider (seeded with default credentials)
    *
-   * Will exclusively be used to assume publishing credentials (which must
-   * start out from current credentials regardless of whether we've assumed an
-   * action role to touch the stack or not).
+   * Will be used to:
    *
-   * Used for the following purposes:
-   *
-   * - Publish legacy assets.
-   * - Upload large CloudFormation templates to the staging bucket.
+   * - Publish assets, either legacy assets or large CFN templates
+   *   that aren't themselves assets from a manifest. (Needs an SDK
+   *   Provider because the file publishing role is declared as part
+   *   of the asset).
+   * - Hotswap
    */
   readonly sdkProvider: SdkProvider;
 
@@ -70,9 +70,13 @@ export interface DeployStackOptions {
   /**
    * Role to pass to CloudFormation to execute the change set
    *
-   * @default - Role specified on stack, otherwise current
+   * To obtain a `StringWithoutPlaceholders`, run a regular
+   * string though `TargetEnvironment.replacePlaceholders`.
+   *
+   * @default - No execution role; CloudFormation either uses the role currently associated with
+   * the stack, or otherwise uses current AWS credentials.
    */
-  readonly roleArn?: string;
+  readonly roleArn?: StringWithoutPlaceholders;
 
   /**
    * Notification ARNs to pass to CloudFormation to notify when the change set has completed
diff --git a/packages/aws-cdk/lib/api/deployments.ts b/packages/aws-cdk/lib/api/deployments.ts
index 6231aa9a70567..1240127469804 100644
--- a/packages/aws-cdk/lib/api/deployments.ts
+++ b/packages/aws-cdk/lib/api/deployments.ts
@@ -4,56 +4,25 @@ import * as cdk_assets from 'cdk-assets';
 import { AssetManifest, IManifestEntry } from 'cdk-assets';
 import * as chalk from 'chalk';
 import { Tag } from '../cdk-toolkit';
-import { debug, warning, error } from '../logging';
-import { Mode } from './aws-auth/credentials';
-import { ISDK } from './aws-auth/sdk';
-import { CredentialsOptions, SdkForEnvironment, SdkProvider } from './aws-auth/sdk-provider';
+import { debug, warning } from '../logging';
+import { SdkProvider } from './aws-auth/sdk-provider';
 import { deployStack, DeployStackResult, destroyStack, DeploymentMethod } from './deploy-stack';
-import { EnvironmentResources, EnvironmentResourcesRegistry } from './environment-resources';
+import { EnvironmentAccess } from './environment-access';
+import { EnvironmentResources } from './environment-resources';
 import { HotswapMode, HotswapPropertyOverrides } from './hotswap/common';
 import { loadCurrentTemplateWithNestedStacks, loadCurrentTemplate, RootTemplateWithNestedStacks } from './nested-stack-helpers';
+import { DEFAULT_TOOLKIT_STACK_NAME } from './toolkit-info';
 import { determineAllowCrossAccountAssetPublishing } from './util/checks';
 import { CloudFormationStack, Template, ResourcesToImport, ResourceIdentifierSummaries, stabilizeStack, uploadStackTemplateAssets } from './util/cloudformation';
 import { StackActivityMonitor, StackActivityProgress } from './util/cloudformation/stack-activity-monitor';
 import { StackEventPoller } from './util/cloudformation/stack-event-poller';
 import { RollbackChoice } from './util/cloudformation/stack-status';
-import { replaceEnvPlaceholders } from './util/placeholders';
 import { makeBodyParameter } from './util/template-body-parameter';
 import { AssetManifestBuilder } from '../util/asset-manifest-builder';
 import { buildAssets, publishAssets, BuildAssetsOptions, PublishAssetsOptions, PublishingAws, EVENT_TO_LOGGER } from '../util/asset-publishing';
 
 const BOOTSTRAP_STACK_VERSION_FOR_ROLLBACK = 23;
 
-/**
- * SDK obtained by assuming the lookup role
- * for a given environment
- */
-export interface PreparedSdkWithLookupRoleForEnvironment {
-  /**
-   * The SDK for the given environment
-   */
-  readonly sdk: ISDK;
-
-  /**
-   * The resolved environment for the stack
-   * (no more 'unknown-account/unknown-region')
-   */
-  readonly resolvedEnvironment: cxapi.Environment;
-
-  /**
-   * Whether or not the assume role was successful.
-   * If the assume role was not successful (false)
-   * then that means that the 'sdk' returned contains
-   * the default credentials (not the assume role credentials)
-   */
-  readonly didAssumeRole: boolean;
-
-  /**
-   * An object for accessing the bootstrap resources in this environment
-   */
-  readonly envResources: EnvironmentResources;
-}
-
 export interface DeployStackOptions {
   /**
    * Stack to deploy
@@ -352,69 +321,61 @@ export interface DeploymentsProps {
 }
 
 /**
- * SDK obtained by assuming the deploy role
- * for a given environment
+ * Scope for a single set of deployments from a set of Cloud Assembly Artifacts
+ *
+ * Manages lookup of SDKs, Bootstrap stacks, etc.
  */
-export interface PreparedSdkForEnvironment {
-  /**
-   * The SDK for the given environment
-   */
-  readonly stackSdk: ISDK;
+export class Deployments {
+  public readonly envs: EnvironmentAccess;
 
   /**
-   * The resolved environment for the stack
-   * (no more 'unknown-account/unknown-region')
-   */
-  readonly resolvedEnvironment: cxapi.Environment;
-  /**
-   * The Execution Role that should be passed to CloudFormation.
+   * SDK provider for asset publishing (do not use for anything else).
+   *
+   * This SDK provider is only allowed to be used for that purpose, nothing else.
    *
-   * @default - no execution role is used
+   * It's not a different object, but the field name should imply that this
+   * object should not be used directly, except to pass to asset handling routines.
    */
-  readonly cloudFormationRoleArn?: string;
+  private readonly assetSdkProvider: SdkProvider;
 
   /**
-   * Access class for environmental resources to help the deployment
+   * SDK provider for passing to deployStack
+   *
+   * This SDK provider is only allowed to be used for that purpose, nothing else.
+   *
+   * It's not a different object, but the field name should imply that this
+   * object should not be used directly, except to pass to `deployStack`.
    */
-  readonly envResources: EnvironmentResources;
-}
+  private readonly deployStackSdkProvider: SdkProvider;
 
-/**
- * Scope for a single set of deployments from a set of Cloud Assembly Artifacts
- *
- * Manages lookup of SDKs, Bootstrap stacks, etc.
- */
-export class Deployments {
-  private readonly sdkProvider: SdkProvider;
-  private readonly sdkCache = new Map<string, SdkForEnvironment>();
   private readonly publisherCache = new Map<AssetManifest, cdk_assets.AssetPublishing>();
-  private readonly environmentResources: EnvironmentResourcesRegistry;
 
   private _allowCrossAccountAssetPublishing: boolean | undefined;
   constructor(private readonly props: DeploymentsProps) {
-    this.sdkProvider = props.sdkProvider;
-    this.environmentResources = new EnvironmentResourcesRegistry(props.toolkitStackName);
+    this.assetSdkProvider = props.sdkProvider;
+    this.deployStackSdkProvider = props.sdkProvider;
+    this.envs = new EnvironmentAccess(props.sdkProvider, props.toolkitStackName ?? DEFAULT_TOOLKIT_STACK_NAME);
   }
 
   /**
    * Resolves the environment for a stack.
    */
   public async resolveEnvironment(stack: cxapi.CloudFormationStackArtifact): Promise<cxapi.Environment> {
-    return this.sdkProvider.resolveEnvironment(stack.environment);
+    return this.envs.resolveStackEnvironment(stack);
   }
 
   public async readCurrentTemplateWithNestedStacks(
     rootStackArtifact: cxapi.CloudFormationStackArtifact,
     retrieveProcessedTemplate: boolean = false,
   ): Promise<RootTemplateWithNestedStacks> {
-    const sdk = (await this.prepareSdkWithLookupOrDeployRole(rootStackArtifact)).stackSdk;
-    return loadCurrentTemplateWithNestedStacks(rootStackArtifact, sdk, retrieveProcessedTemplate);
+    const env = await this.envs.accessStackForLookupBestEffort(rootStackArtifact);
+    return loadCurrentTemplateWithNestedStacks(rootStackArtifact, env.sdk, retrieveProcessedTemplate);
   }
 
   public async readCurrentTemplate(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<Template> {
     debug(`Reading existing template for stack ${stackArtifact.displayName}.`);
-    const sdk = (await this.prepareSdkWithLookupOrDeployRole(stackArtifact)).stackSdk;
-    return loadCurrentTemplate(stackArtifact, sdk);
+    const env = await this.envs.accessStackForLookupBestEffort(stackArtifact);
+    return loadCurrentTemplate(stackArtifact, env.sdk);
   }
 
   public async resourceIdentifierSummaries(
@@ -423,8 +384,8 @@ export class Deployments {
     debug(`Retrieving template summary for stack ${stackArtifact.displayName}.`);
     // Currently, needs to use `deploy-role` since it may need to read templates in the staging
     // bucket which have been encrypted with a KMS key (and lookup-role may not read encrypted things)
-    const { stackSdk, resolvedEnvironment, envResources } = await this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading);
-    const cfn = stackSdk.cloudFormation();
+    const env = await this.envs.accessStackForReadOnlyStackOperations(stackArtifact);
+    const cfn = env.sdk.cloudFormation();
 
     await uploadStackTemplateAssets(stackArtifact, this);
 
@@ -432,10 +393,10 @@ export class Deployments {
     const builder = new AssetManifestBuilder();
     const cfnParam = await makeBodyParameter(
       stackArtifact,
-      resolvedEnvironment,
+      env.resolvedEnvironment,
       builder,
-      envResources,
-      stackSdk);
+      env.resources,
+      env.sdk);
 
     // If the `makeBodyParameter` before this added assets, make sure to publish them before
     // calling the API.
@@ -469,31 +430,28 @@ export class Deployments {
       };
     }
 
-    const {
-      stackSdk,
-      resolvedEnvironment,
-      cloudFormationRoleArn,
-      envResources,
-    } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
+    const env = await this.envs.accessStackForMutableStackOperations(options.stack);
 
     // Do a verification of the bootstrap stack version
     await this.validateBootstrapStackVersion(
       options.stack.stackName,
       options.stack.requiresBootstrapStackVersion,
       options.stack.bootstrapStackVersionSsmParameter,
-      envResources);
+      env.resources);
+
+    const executionRoleArn = await env.replacePlaceholders(options.roleArn ?? options.stack.cloudFormationExecutionRoleArn);
 
     return deployStack({
       stack: options.stack,
-      resolvedEnvironment,
+      resolvedEnvironment: env.resolvedEnvironment,
       deployName: options.deployName,
       notificationArns: options.notificationArns,
       quiet: options.quiet,
-      sdk: stackSdk,
-      sdkProvider: this.sdkProvider,
-      roleArn: cloudFormationRoleArn,
+      sdk: env.sdk,
+      sdkProvider: this.deployStackSdkProvider,
+      roleArn: executionRoleArn,
       reuseAssets: options.reuseAssets,
-      envResources,
+      envResources: env.resources,
       tags: options.tags,
       deploymentMethod,
       force: options.force,
@@ -517,12 +475,7 @@ export class Deployments {
       throw new Error('Cannot combine --force with --orphan');
     }
 
-    const {
-      stackSdk,
-      resolvedEnvironment: _,
-      cloudFormationRoleArn,
-      envResources,
-    } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
+    const env = await this.envs.accessStackForMutableStackOperations(options.stack);
 
     if (options.validateBootstrapStackVersion ?? true) {
       // Do a verification of the bootstrap stack version
@@ -530,10 +483,10 @@ export class Deployments {
         options.stack.stackName,
         BOOTSTRAP_STACK_VERSION_FOR_ROLLBACK,
         options.stack.bootstrapStackVersionSsmParameter,
-        envResources);
+        env.resources);
     }
 
-    const cfn = stackSdk.cloudFormation();
+    const cfn = env.sdk.cloudFormation();
     const deployName = options.stack.stackName;
 
     // We loop in case of `--force` and the stack ends up in `CONTINUE_UPDATE_ROLLBACK`.
@@ -541,6 +494,8 @@ export class Deployments {
     while (maxLoops--) {
       let cloudFormationStack = await CloudFormationStack.lookup(cfn, deployName);
 
+      const executionRoleArn = await env.replacePlaceholders(options.roleArn ?? options.stack.cloudFormationExecutionRoleArn);
+
       switch (cloudFormationStack.stackStatus.rollbackChoice) {
         case RollbackChoice.NONE:
           warning(`Stack ${deployName} does not need a rollback: ${cloudFormationStack.stackStatus}`);
@@ -550,7 +505,7 @@ export class Deployments {
           debug(`Initiating rollback of stack ${deployName}`);
           await cfn.rollbackStack({
             StackName: deployName,
-            RoleARN: cloudFormationRoleArn,
+            RoleARN: executionRoleArn,
             ClientRequestToken: randomUUID(),
             // Enabling this is just the better overall default, the only reason it isn't the upstream default is backwards compatibility
             RetainExceptOnCreate: true,
@@ -579,7 +534,7 @@ export class Deployments {
           await cfn.continueUpdateRollback({
             StackName: deployName,
             ClientRequestToken: randomUUID(),
-            RoleARN: cloudFormationRoleArn,
+            RoleARN: executionRoleArn,
             ResourcesToSkip: resourcesToSkip,
           }).promise();
           break;
@@ -631,11 +586,12 @@ export class Deployments {
   }
 
   public async destroyStack(options: DestroyStackOptions): Promise<void> {
-    const { stackSdk, cloudFormationRoleArn: roleArn } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
+    const env = await this.envs.accessStackForMutableStackOperations(options.stack);
+    const executionRoleArn = await env.replacePlaceholders(options.roleArn ?? options.stack.cloudFormationExecutionRoleArn);
 
     return destroyStack({
-      sdk: stackSdk,
-      roleArn,
+      sdk: env.sdk,
+      roleArn: executionRoleArn,
       stack: options.stack,
       deployName: options.deployName,
       quiet: options.quiet,
@@ -644,159 +600,28 @@ export class Deployments {
   }
 
   public async stackExists(options: StackExistsOptions): Promise<boolean> {
-    let stackSdk;
+    let env;
     if (options.tryLookupRole) {
-      stackSdk = (await this.prepareSdkWithLookupOrDeployRole(options.stack)).stackSdk;
+      env = await this.envs.accessStackForLookupBestEffort(options.stack);
     } else {
-      stackSdk = (await this.prepareSdkFor(options.stack, undefined, Mode.ForReading)).stackSdk;
+      env = await this.envs.accessStackForReadOnlyStackOperations(options.stack);
     }
-    const stack = await CloudFormationStack.lookup(stackSdk.cloudFormation(), options.deployName ?? options.stack.stackName);
+    const stack = await CloudFormationStack.lookup(env.sdk.cloudFormation(), options.deployName ?? options.stack.stackName);
     return stack.exists;
   }
 
-  public async prepareSdkWithDeployRole(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<PreparedSdkForEnvironment> {
-    return this.prepareSdkFor(stackArtifact, undefined, Mode.ForWriting);
-  }
-
-  private async prepareSdkWithLookupOrDeployRole(stackArtifact: cxapi.CloudFormationStackArtifact): Promise<PreparedSdkForEnvironment> {
-    // try to assume the lookup role
-    try {
-      const result = await this.prepareSdkWithLookupRoleFor(stackArtifact);
-      if (result.didAssumeRole) {
-        return {
-          resolvedEnvironment: result.resolvedEnvironment,
-          stackSdk: result.sdk,
-          envResources: result.envResources,
-        };
-      }
-    } catch { }
-    // fall back to the deploy role
-    return this.prepareSdkFor(stackArtifact, undefined, Mode.ForReading);
-  }
-
-  /**
-   * Get the environment necessary for touching the given stack
-   *
-   * Returns the following:
-   *
-   * - The resolved environment for the stack (no more 'unknown-account/unknown-region')
-   * - SDK loaded with the right credentials for calling `CreateChangeSet`.
-   * - The Execution Role that should be passed to CloudFormation.
-   */
-  private async prepareSdkFor(
-    stack: cxapi.CloudFormationStackArtifact,
-    roleArn: string | undefined,
-    mode: Mode,
-  ): Promise<PreparedSdkForEnvironment> {
-    if (!stack.environment) {
-      throw new Error(`The stack ${stack.displayName} does not have an environment`);
-    }
-
-    const resolvedEnvironment = await this.resolveEnvironment(stack);
-
-    // Substitute any placeholders with information about the current environment
-    const arns = await replaceEnvPlaceholders({
-      assumeRoleArn: stack.assumeRoleArn,
-
-      // Use the override if given, otherwise use the field from the stack
-      cloudFormationRoleArn: roleArn ?? stack.cloudFormationExecutionRoleArn,
-    }, resolvedEnvironment, this.sdkProvider);
-
-    const stackSdk = await this.cachedSdkForEnvironment(resolvedEnvironment, mode, {
-      assumeRoleArn: arns.assumeRoleArn,
-      assumeRoleExternalId: stack.assumeRoleExternalId,
-      assumeRoleAdditionalOptions: stack.assumeRoleAdditionalOptions,
-    });
-
-    return {
-      stackSdk: stackSdk.sdk,
-      resolvedEnvironment,
-      cloudFormationRoleArn: arns.cloudFormationRoleArn,
-      envResources: this.environmentResources.for(resolvedEnvironment, stackSdk.sdk),
-    };
-  }
-
-  /**
-   * Try to use the bootstrap lookupRole. There are two scenarios that are handled here
-   *  1. The lookup role may not exist (it was added in bootstrap stack version 7)
-   *  2. The lookup role may not have the correct permissions (ReadOnlyAccess was added in
-   *      bootstrap stack version 8)
-   *
-   * In the case of 1 (lookup role doesn't exist) `forEnvironment` will either:
-   *   1. Return the default credentials if the default credentials are for the stack account
-   *   2. Throw an error if the default credentials are not for the stack account.
-   *
-   * If we successfully assume the lookup role we then proceed to 2 and check whether the bootstrap
-   * stack version is valid. If it is not we throw an error which should be handled in the calling
-   * function (and fallback to use a different role, etc)
-   *
-   * If we do not successfully assume the lookup role, but do get back the default credentials
-   * then return those and note that we are returning the default credentials. The calling
-   * function can then decide to use them or fallback to another role.
-   */
-  public async prepareSdkWithLookupRoleFor(
-    stack: cxapi.CloudFormationStackArtifact,
-  ): Promise<PreparedSdkWithLookupRoleForEnvironment> {
-    const resolvedEnvironment = await this.sdkProvider.resolveEnvironment(stack.environment);
-
-    // Substitute any placeholders with information about the current environment
-    const arns = await replaceEnvPlaceholders({
-      lookupRoleArn: stack.lookupRole?.arn,
-    }, resolvedEnvironment, this.sdkProvider);
-
-    // try to assume the lookup role
-    const warningMessage = `Could not assume ${arns.lookupRoleArn}, proceeding anyway.`;
-
-    try {
-      // Trying to assume lookup role and cache the sdk for the environment
-      const stackSdk = await this.cachedSdkForEnvironment(resolvedEnvironment, Mode.ForReading, {
-        assumeRoleArn: arns.lookupRoleArn,
-        assumeRoleExternalId: stack.lookupRole?.assumeRoleExternalId,
-        assumeRoleAdditionalOptions: stack.lookupRole?.assumeRoleAdditionalOptions,
-      });
-
-      const envResources = this.environmentResources.for(resolvedEnvironment, stackSdk.sdk);
-
-      // if we succeed in assuming the lookup role, make sure we have the correct bootstrap stack version
-      if (stackSdk.didAssumeRole && stack.lookupRole?.bootstrapStackVersionSsmParameter && stack.lookupRole.requiresBootstrapStackVersion) {
-        const version = await envResources.versionFromSsmParameter(stack.lookupRole.bootstrapStackVersionSsmParameter);
-        if (version < stack.lookupRole.requiresBootstrapStackVersion) {
-          throw new Error(`Bootstrap stack version '${stack.lookupRole.requiresBootstrapStackVersion}' is required, found version '${version}'. To get rid of this error, please upgrade to bootstrap version >= ${stack.lookupRole.requiresBootstrapStackVersion}`);
-        }
-      } else if (!stackSdk.didAssumeRole) {
-        const lookUpRoleExists = stack.lookupRole ? true : false;
-        warning(`Lookup role ${ lookUpRoleExists ? 'exists but' : 'does not exist, hence'} was not assumed. Proceeding with default credentials.`);
-      }
-      return { ...stackSdk, resolvedEnvironment, envResources };
-    } catch (e: any) {
-      debug(e);
-
-      // only print out the warnings if the lookupRole exists
-      if (stack.lookupRole) {
-        warning(warningMessage);
-      }
-
-      // This error should be shown even if debug mode is off
-      if (e instanceof Error && e.message.includes('Bootstrap stack version')) {
-        error(e.message);
-      }
-
-      throw (e);
-    }
-  }
-
   private async prepareAndValidateAssets(asset: cxapi.AssetManifestArtifact, options: AssetOptions) {
-    const { envResources } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
+    const env = await this.envs.accessStackForMutableStackOperations(options.stack);
 
     await this.validateBootstrapStackVersion(
       options.stack.stackName,
       asset.requiresBootstrapStackVersion,
       asset.bootstrapStackVersionSsmParameter,
-      envResources);
+      env.resources);
 
     const manifest = AssetManifest.fromFile(asset.file);
 
-    return { manifest, stackEnv: envResources.environment };
+    return { manifest, stackEnv: env.resolvedEnvironment };
   }
 
   /**
@@ -806,7 +631,7 @@ export class Deployments {
    */
   public async buildAssets(asset: cxapi.AssetManifestArtifact, options: BuildStackAssetsOptions) {
     const { manifest, stackEnv } = await this.prepareAndValidateAssets(asset, options);
-    await buildAssets(manifest, this.sdkProvider, stackEnv, options.buildOptions);
+    await buildAssets(manifest, this.assetSdkProvider, stackEnv, options.buildOptions);
   }
 
   /**
@@ -816,7 +641,7 @@ export class Deployments {
    */
   public async publishAssets(asset: cxapi.AssetManifestArtifact, options: PublishStackAssetsOptions) {
     const { manifest, stackEnv } = await this.prepareAndValidateAssets(asset, options);
-    await publishAssets(manifest, this.sdkProvider, stackEnv, {
+    await publishAssets(manifest, this.assetSdkProvider, stackEnv, {
       ...options.publishOptions,
       allowCrossAccount: await this.allowCrossAccountAssetPublishingForEnv(options.stack),
     });
@@ -831,16 +656,17 @@ export class Deployments {
    */
   // eslint-disable-next-line max-len
   public async buildSingleAsset(assetArtifact: cxapi.AssetManifestArtifact | 'no-version-validation', assetManifest: AssetManifest, asset: IManifestEntry, options: BuildStackAssetsOptions) {
-    const { resolvedEnvironment, envResources } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
-
     if (assetArtifact !== 'no-version-validation') {
+      const env = await this.envs.accessStackForReadOnlyStackOperations(options.stack);
       await this.validateBootstrapStackVersion(
         options.stack.stackName,
         assetArtifact.requiresBootstrapStackVersion,
         assetArtifact.bootstrapStackVersionSsmParameter,
-        envResources);
+        env.resources);
     }
 
+    const resolvedEnvironment = await this.envs.resolveStackEnvironment(options.stack);
+
     const publisher = this.cachedPublisher(assetManifest, resolvedEnvironment, options.stackName);
     await publisher.buildEntry(asset);
     if (publisher.hasFailures) {
@@ -853,7 +679,7 @@ export class Deployments {
    */
   // eslint-disable-next-line max-len
   public async publishSingleAsset(assetManifest: AssetManifest, asset: IManifestEntry, options: PublishStackAssetsOptions) {
-    const { resolvedEnvironment: stackEnv } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
+    const stackEnv = await this.envs.resolveStackEnvironment(options.stack);
 
     // No need to validate anymore, we already did that during build
     const publisher = this.cachedPublisher(assetManifest, stackEnv, options.stackName);
@@ -866,8 +692,8 @@ export class Deployments {
 
   private async allowCrossAccountAssetPublishingForEnv(stack: cxapi.CloudFormationStackArtifact): Promise<boolean> {
     if (this._allowCrossAccountAssetPublishing === undefined) {
-      const { stackSdk: sdk } = await this.prepareSdkFor(stack, undefined, Mode.ForReading);
-      this._allowCrossAccountAssetPublishing = await determineAllowCrossAccountAssetPublishing(sdk, this.props.toolkitStackName);
+      const env = await this.envs.accessStackForReadOnlyStackOperations(stack);
+      this._allowCrossAccountAssetPublishing = await determineAllowCrossAccountAssetPublishing(env.sdk, this.props.toolkitStackName);
     }
     return this._allowCrossAccountAssetPublishing;
   }
@@ -876,7 +702,8 @@ export class Deployments {
    * Return whether a single asset has been published already
    */
   public async isSingleAssetPublished(assetManifest: AssetManifest, asset: IManifestEntry, options: PublishStackAssetsOptions) {
-    const { resolvedEnvironment: stackEnv } = await this.prepareSdkFor(options.stack, options.roleArn, Mode.ForWriting);
+    const stackEnv = await this.envs.resolveStackEnvironment(options.stack);
+
     const publisher = this.cachedPublisher(assetManifest, stackEnv, options.stackName);
     return publisher.isEntryPublished(asset);
   }
@@ -899,33 +726,6 @@ export class Deployments {
     }
   }
 
-  private async cachedSdkForEnvironment(
-    environment: cxapi.Environment,
-    mode: Mode,
-    options?: CredentialsOptions,
-  ) {
-    const cacheKeyElements = [
-      environment.account,
-      environment.region,
-      `${mode}`,
-      options?.assumeRoleArn ?? '',
-      options?.assumeRoleExternalId ?? '',
-    ];
-
-    if (options?.assumeRoleAdditionalOptions) {
-      cacheKeyElements.push(JSON.stringify(options.assumeRoleAdditionalOptions));
-    }
-
-    const cacheKey = cacheKeyElements.join(':');
-    const existing = this.sdkCache.get(cacheKey);
-    if (existing) {
-      return existing;
-    }
-    const ret = await this.sdkProvider.forEnvironment(environment, mode, options);
-    this.sdkCache.set(cacheKey, ret);
-    return ret;
-  }
-
   private cachedPublisher(assetManifest: cdk_assets.AssetManifest, env: cxapi.Environment, stackName?: string) {
     const existing = this.publisherCache.get(assetManifest);
     if (existing) {
@@ -933,7 +733,9 @@ export class Deployments {
     }
     const prefix = stackName ? `${chalk.bold(stackName)}: ` : '';
     const publisher = new cdk_assets.AssetPublishing(assetManifest, {
-      aws: new PublishingAws(this.sdkProvider, env),
+      // The AssetPublishing class takes care of role assuming etc, so it's okay to
+      // give it a direct `SdkProvider`.
+      aws: new PublishingAws(this.assetSdkProvider, env),
       progressListener: new ParallelSafeAssetProgress(prefix, this.props.quiet ?? false),
     });
     this.publisherCache.set(assetManifest, publisher);
@@ -964,4 +766,4 @@ function suffixWithErrors(msg: string, errors?: string[]) {
   return errors && errors.length > 0
     ? `${msg}: ${errors.join(', ')}`
     : msg;
-}
\ No newline at end of file
+}
diff --git a/packages/aws-cdk/lib/api/environment-access.ts b/packages/aws-cdk/lib/api/environment-access.ts
new file mode 100644
index 0000000000000..2df34888e4a6e
--- /dev/null
+++ b/packages/aws-cdk/lib/api/environment-access.ts
@@ -0,0 +1,272 @@
+import * as cxapi from '@aws-cdk/cx-api';
+import { ISDK, Mode } from './aws-auth';
+import { warning } from '../logging';
+import { CredentialsOptions, SdkForEnvironment, SdkProvider } from './aws-auth/sdk-provider';
+import { EnvironmentResources, EnvironmentResourcesRegistry } from './environment-resources';
+import { replaceEnvPlaceholders, StringWithoutPlaceholders } from './util/placeholders';
+
+/**
+ * Access particular AWS resources, based on information from the CX manifest
+ *
+ * It is not possible to grab direct access to AWS credentials; 9 times out of 10
+ * we have to allow for role assumption, and role assumption can only work if
+ * there is a CX Manifest that contains a role ARN.
+ *
+ * This class exists so new code isn't tempted to go and get SDK credentials directly.
+ */
+export class EnvironmentAccess {
+  private readonly sdkCache = new Map<string, SdkForEnvironment>();
+  private readonly environmentResources: EnvironmentResourcesRegistry;
+
+  constructor(private readonly sdkProvider: SdkProvider, toolkitStackName: string) {
+    this.environmentResources = new EnvironmentResourcesRegistry(toolkitStackName);
+  }
+
+  /**
+   * Resolves the environment for a stack.
+   */
+  public async resolveStackEnvironment(stack: cxapi.CloudFormationStackArtifact): Promise<cxapi.Environment> {
+    return this.sdkProvider.resolveEnvironment(stack.environment);
+  }
+
+  /**
+   * Get an SDK to access the given stack's environment for stack operations
+   *
+   * Will ask plugins for readonly credentials if available, use the default
+   * AWS credentials if not.
+   *
+   * Will assume the deploy role if configured on the stack. Check the default `deploy-role`
+   * policies to see what you can do with this role.
+   */
+  public async accessStackForReadOnlyStackOperations(stack: cxapi.CloudFormationStackArtifact): Promise<TargetEnvironment> {
+    return this.accessStackForStackOperations(stack, Mode.ForReading);
+  }
+
+  /**
+   * Get an SDK to access the given stack's environment for stack operations
+   *
+   * Will ask plugins for mutating credentials if available, use the default AWS
+   * credentials if not.  The `mode` parameter is only used for querying
+   * plugins.
+   *
+   * Will assume the deploy role if configured on the stack. Check the default `deploy-role`
+   * policies to see what you can do with this role.
+   */
+  public async accessStackForMutableStackOperations(stack: cxapi.CloudFormationStackArtifact): Promise<TargetEnvironment> {
+    return this.accessStackForStackOperations(stack, Mode.ForWriting);
+  }
+
+  /**
+   * Get an SDK to access the given stack's environment for environmental lookups
+   *
+   * Will use a plugin if available, use the default AWS credentials if not.
+   * The `mode` parameter is only used for querying plugins.
+   *
+   * Will assume the lookup role if configured on the stack. Check the default `lookup-role`
+   * policies to see what you can do with this role. It can generally read everything
+   * in the account that does not require KMS access.
+   *
+   * ---
+   *
+   * For backwards compatibility reasons, there are some scenarios that are handled here:
+   *
+   *  1. The lookup role may not exist (it was added in bootstrap stack version 7). If so:
+   *     a. Return the default credentials if the default credentials are for the stack account
+   *        (you will notice this as `isFallbackCredentials=true`).
+   *     b. Throw an error if the default credentials are not for the stack account.
+   *
+   *  2. The lookup role may not have the correct permissions (for example, ReadOnlyAccess was added in
+   *     bootstrap stack version 8); the stack will have a minimum version number on it.
+   *     a. If it does not we throw an error which should be handled in the calling
+   *        function (and fallback to use a different role, etc)
+   *
+   * Upon success, caller will have an SDK for the right account, which may or may not have
+   * the right permissions.
+   */
+  public async accessStackForLookup(stack: cxapi.CloudFormationStackArtifact): Promise<TargetEnvironment> {
+    if (!stack.environment) {
+      throw new Error(`The stack ${stack.displayName} does not have an environment`);
+    }
+
+    const lookupEnv = await this.prepareSdk({
+      environment: stack.environment,
+      mode: Mode.ForReading,
+      assumeRoleArn: stack.lookupRole?.arn,
+      assumeRoleExternalId: stack.lookupRole?.assumeRoleExternalId,
+      assumeRoleAdditionalOptions: stack.lookupRole?.assumeRoleAdditionalOptions,
+    });
+
+    // if we succeed in assuming the lookup role, make sure we have the correct bootstrap stack version
+    if (lookupEnv.didAssumeRole && stack.lookupRole?.bootstrapStackVersionSsmParameter && stack.lookupRole.requiresBootstrapStackVersion) {
+      const version = await lookupEnv.resources.versionFromSsmParameter(stack.lookupRole.bootstrapStackVersionSsmParameter);
+      if (version < stack.lookupRole.requiresBootstrapStackVersion) {
+        throw new Error(`Bootstrap stack version '${stack.lookupRole.requiresBootstrapStackVersion}' is required, found version '${version}'. To get rid of this error, please upgrade to bootstrap version >= ${stack.lookupRole.requiresBootstrapStackVersion}`);
+      }
+    }
+    if (lookupEnv.isFallbackCredentials) {
+      const arn = await lookupEnv.replacePlaceholders(stack.lookupRole?.arn);
+      warning(`Lookup role ${arn} was not assumed. Proceeding with default credentials.`);
+    }
+    return lookupEnv;
+  }
+
+  /**
+   * Get an SDK to access the given stack's environment for reading stack attributes
+   *
+   * Will use a plugin if available, use the default AWS credentials if not.
+   * The `mode` parameter is only used for querying plugins.
+   *
+   * Will try to assume the lookup role if given, will use the regular stack operations
+   * access (deploy-role) otherwise. When calling this, you should assume that you will get
+   * the least privileged role, so don't try to use it for anything the `deploy-role`
+   * wouldn't be able to do. Also you cannot rely on being able to read encrypted anything.
+   */
+  public async accessStackForLookupBestEffort(stack: cxapi.CloudFormationStackArtifact): Promise<TargetEnvironment> {
+    if (!stack.environment) {
+      throw new Error(`The stack ${stack.displayName} does not have an environment`);
+    }
+
+    try {
+      return await this.accessStackForLookup(stack);
+    } catch (e: any) {
+      warning(`${e.message}`);
+    }
+    return this.accessStackForStackOperations(stack, Mode.ForReading);
+  }
+
+  /**
+   * Get an SDK to access the given stack's environment for stack operations
+   *
+   * Will use a plugin if available, use the default AWS credentials if not.
+   * The `mode` parameter is only used for querying plugins.
+   *
+   * Will assume the deploy role if configured on the stack. Check the default `deploy-role`
+   * policies to see what you can do with this role.
+   */
+  private async accessStackForStackOperations(stack: cxapi.CloudFormationStackArtifact, mode: Mode): Promise<TargetEnvironment> {
+    if (!stack.environment) {
+      throw new Error(`The stack ${stack.displayName} does not have an environment`);
+    }
+
+    return this.prepareSdk({
+      environment: stack.environment,
+      mode,
+      assumeRoleArn: stack.assumeRoleArn,
+      assumeRoleExternalId: stack.assumeRoleExternalId,
+      assumeRoleAdditionalOptions: stack.assumeRoleAdditionalOptions,
+    });
+  }
+
+  /**
+   * Prepare an SDK for use in the given environment and optionally with a role assumed.
+   */
+  private async prepareSdk(
+    options: PrepareSdkRoleOptions,
+  ): Promise<TargetEnvironment> {
+    const resolvedEnvironment = await this.sdkProvider.resolveEnvironment(options.environment);
+
+    // Substitute any placeholders with information about the current environment
+    const { assumeRoleArn } = await replaceEnvPlaceholders({
+      assumeRoleArn: options.assumeRoleArn,
+    }, resolvedEnvironment, this.sdkProvider);
+
+    const stackSdk = await this.cachedSdkForEnvironment(resolvedEnvironment, options.mode, {
+      assumeRoleArn,
+      assumeRoleExternalId: options.assumeRoleExternalId,
+      assumeRoleAdditionalOptions: options.assumeRoleAdditionalOptions,
+    });
+
+    return {
+      sdk: stackSdk.sdk,
+      resolvedEnvironment,
+      resources: this.environmentResources.for(resolvedEnvironment, stackSdk.sdk),
+      // If we asked for a role, did not successfully assume it, and yet got here without an exception: that
+      // means we must have fallback credentials.
+      isFallbackCredentials: !stackSdk.didAssumeRole && !!assumeRoleArn,
+      didAssumeRole: stackSdk.didAssumeRole,
+      replacePlaceholders: async <A extends string | undefined>(str: A) => {
+        const ret = await replaceEnvPlaceholders({ str }, resolvedEnvironment, this.sdkProvider);
+        return ret.str;
+      },
+    };
+  }
+
+  private async cachedSdkForEnvironment(
+    environment: cxapi.Environment,
+    mode: Mode,
+    options?: CredentialsOptions,
+  ) {
+    const cacheKeyElements = [
+      environment.account,
+      environment.region,
+      `${mode}`,
+      options?.assumeRoleArn ?? '',
+      options?.assumeRoleExternalId ?? '',
+    ];
+
+    if (options?.assumeRoleAdditionalOptions) {
+      cacheKeyElements.push(JSON.stringify(options.assumeRoleAdditionalOptions));
+    }
+
+    const cacheKey = cacheKeyElements.join(':');
+    const existing = this.sdkCache.get(cacheKey);
+    if (existing) {
+      return existing;
+    }
+    const ret = await this.sdkProvider.forEnvironment(environment, mode, options);
+    this.sdkCache.set(cacheKey, ret);
+    return ret;
+  }
+}
+
+/**
+ * SDK obtained by assuming the deploy role
+ * for a given environment
+ */
+export interface TargetEnvironment {
+  /**
+   * The SDK for the given environment
+   */
+  readonly sdk: ISDK;
+
+  /**
+   * The resolved environment for the stack
+   * (no more 'unknown-account/unknown-region')
+   */
+  readonly resolvedEnvironment: cxapi.Environment;
+
+  /**
+   * Access class for environmental resources to help the deployment
+   */
+  readonly resources: EnvironmentResources;
+
+  /**
+   * Whether or not we assumed a role in the process of getting these credentials
+   */
+  readonly didAssumeRole: boolean;
+
+  /**
+   * Whether or not these are fallback credentials
+   *
+   * Fallback credentials means that assuming the intended role failed, but the
+   * base credentials happen to be for the right account so we just picked those
+   * and hope the future SDK calls succeed.
+   *
+   * This is a backwards compatibility mechanism from around the time we introduced
+   * deployment roles.
+   */
+  readonly isFallbackCredentials: boolean;
+
+  /**
+   * Replace environment placeholders according to the current environment
+   */
+  replacePlaceholders(x: string | undefined): Promise<StringWithoutPlaceholders | undefined>;
+}
+
+interface PrepareSdkRoleOptions {
+  readonly environment: cxapi.Environment;
+  readonly mode: Mode;
+  readonly assumeRoleArn?: string;
+  readonly assumeRoleExternalId?: string;
+  readonly assumeRoleAdditionalOptions?: { [key: string]: any };
+}
diff --git a/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts b/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts
index f56ed70d0746b..e41d9145cfbc6 100644
--- a/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts
+++ b/packages/aws-cdk/lib/api/logs/find-cloudwatch-logs.ts
@@ -1,8 +1,10 @@
 import * as cxapi from '@aws-cdk/cx-api';
 import { CloudFormation } from 'aws-sdk';
+import { debug } from '../../logging';
 import { ISDK, Mode, SdkProvider } from '../aws-auth';
-import { Deployments } from '../deployments';
+import { EnvironmentAccess } from '../environment-access';
 import { EvaluateCloudFormationTemplate, LazyListStackResources } from '../evaluate-cloudformation-template';
+import { DEFAULT_TOOLKIT_STACK_NAME } from '../toolkit-info';
 
 // resource types that have associated CloudWatch Log Groups that should _not_ be monitored
 const IGNORE_LOGS_RESOURCE_TYPES = ['AWS::EC2::FlowLog', 'AWS::CloudTrail::Trail', 'AWS::CodeBuild::Project'];
@@ -39,8 +41,9 @@ export async function findCloudWatchLogGroups(
   const resolvedEnv = await sdkProvider.resolveEnvironment(stackArtifact.environment);
   // try to assume the lookup role and fallback to the default credentials
   try {
-    sdk = (await new Deployments({ sdkProvider }).prepareSdkWithLookupRoleFor(stackArtifact)).sdk;
-  } catch {
+    sdk = (await new EnvironmentAccess(sdkProvider, DEFAULT_TOOLKIT_STACK_NAME).accessStackForLookup(stackArtifact)).sdk;
+  } catch (e: any) {
+    debug(`Failed to access SDK environment: ${e.message}`);
     sdk = (await sdkProvider.forEnvironment(resolvedEnv, Mode.ForReading)).sdk;
   }
 
diff --git a/packages/aws-cdk/lib/api/util/cloudformation.ts b/packages/aws-cdk/lib/api/util/cloudformation.ts
index ab01db3aec1ab..8838c4602183e 100644
--- a/packages/aws-cdk/lib/api/util/cloudformation.ts
+++ b/packages/aws-cdk/lib/api/util/cloudformation.ts
@@ -367,19 +367,19 @@ function templatesFromAssetManifestArtifact(artifact: cxapi.AssetManifestArtifac
 async function uploadBodyParameterAndCreateChangeSet(options: PrepareChangeSetOptions): Promise<DescribeChangeSetOutput | undefined> {
   try {
     await uploadStackTemplateAssets(options.stack, options.deployments);
-    const preparedSdk = (await options.deployments.prepareSdkWithDeployRole(options.stack));
+    const env = await options.deployments.envs.accessStackForMutableStackOperations(options.stack);
 
     const bodyParameter = await makeBodyParameter(
       options.stack,
-      preparedSdk.resolvedEnvironment,
+      env.resolvedEnvironment,
       new AssetManifestBuilder(),
-      preparedSdk.envResources,
-      preparedSdk.stackSdk,
+      env.resources,
+      env.sdk,
     );
-    const cfn = preparedSdk.stackSdk.cloudFormation();
+    const cfn = env.sdk.cloudFormation();
     const exists = (await CloudFormationStack.lookup(cfn, options.stack.stackName, false)).exists;
 
-    const executionRoleArn = preparedSdk.cloudFormationRoleArn;
+    const executionRoleArn = await env.replacePlaceholders(options.stack.cloudFormationExecutionRoleArn);
     options.stream.write('Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)\n');
 
     return await createChangeSet({
diff --git a/packages/aws-cdk/lib/api/util/placeholders.ts b/packages/aws-cdk/lib/api/util/placeholders.ts
index 4a209723e8936..7b86bc7580907 100644
--- a/packages/aws-cdk/lib/api/util/placeholders.ts
+++ b/packages/aws-cdk/lib/api/util/placeholders.ts
@@ -1,11 +1,16 @@
 import * as cxapi from '@aws-cdk/cx-api';
+import { Branded } from '../../util/type-brands';
 import { Mode } from '../aws-auth/credentials';
 import { SdkProvider } from '../aws-auth/sdk-provider';
 
 /**
  * Replace the {ACCOUNT} and {REGION} placeholders in all strings found in a complex object.
  */
-export async function replaceEnvPlaceholders<A extends { }>(object: A, env: cxapi.Environment, sdkProvider: SdkProvider): Promise<A> {
+export async function replaceEnvPlaceholders<A extends Record<string, string | undefined>>(
+  object: A,
+  env: cxapi.Environment,
+  sdkProvider: SdkProvider,
+): Promise<{[k in keyof A]: StringWithoutPlaceholders | undefined}> {
   return cxapi.EnvironmentPlaceholders.replaceAsync(object, {
     accountId: () => Promise.resolve(env.account),
     region: () => Promise.resolve(env.region),
@@ -20,3 +25,4 @@ export async function replaceEnvPlaceholders<A extends { }>(object: A, env: cxap
   });
 }
 
+export type StringWithoutPlaceholders = Branded<string, 'NoPlaceholders'>;
diff --git a/packages/aws-cdk/lib/util/type-brands.ts b/packages/aws-cdk/lib/util/type-brands.ts
new file mode 100644
index 0000000000000..51127ddd14bf1
--- /dev/null
+++ b/packages/aws-cdk/lib/util/type-brands.ts
@@ -0,0 +1,44 @@
+/**
+ * Type branding
+ *
+ * This allows marking certain types as having gone through particular operations.
+ *
+ * Branded types can be used anywhere the base type is expected, but the base type
+ * cannot be used where a branded type is expected; the values have to go through
+ * a type assertion operation to confirm their brand.
+ *
+ * Usage:
+ *
+ * ```
+ * type ValidatedString = Branded<string, 'PassedMyValidation'>;
+ *
+ * function validate(x: string): asserts x is ValidatedString {
+ *   // ... throw an error if not
+ * }
+ *
+ * function isValid(x: string): x is ValidatedString {
+ *   // ... throw an error if not
+ * }
+ * ```
+ */
+
+// This construct purely happens at type checking time. There is no run-time impact.
+// Hence, we never even have to construct values of this type.
+declare const __brand: unique symbol;
+
+export type Brand<B> = { [__brand]: B };
+export type Branded<T, B> = T & Brand<B>;
+
+/**
+ * Marks a value as being branded a certain way.
+ *
+ * You should in general avoid calling this, and use validation or
+ * asserting functions instead. However, this can be useful to produce
+ * values which are branded by construction (really just an elaborate
+ * way to write 'as').
+ */
+export function createBranded<A extends Branded<any, any>>(value: TypeUnderlyingBrand<A>): A {
+  return value as A;
+}
+
+type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;
diff --git a/packages/aws-cdk/test/api/cloudformation-deployments.test.ts b/packages/aws-cdk/test/api/cloudformation-deployments.test.ts
index 423293922de00..0c5d0d09a7339 100644
--- a/packages/aws-cdk/test/api/cloudformation-deployments.test.ts
+++ b/packages/aws-cdk/test/api/cloudformation-deployments.test.ts
@@ -983,6 +983,37 @@ test('readCurrentTemplateWithNestedStacks() succesfully ignores stacks without m
   });
 });
 
+describe('stackExists', () => {
+  test.each([
+    [false, 'deploy:here:123456789012'],
+    [true, 'lookup:here:123456789012'],
+  ])('uses lookup role if requested: %p', async (tryLookupRole, expectedRoleArn) => {
+    const mockForEnvironment = jest.fn().mockImplementation(() => { return { sdk: sdkProvider.sdk }; });
+    sdkProvider.forEnvironment = mockForEnvironment;
+    givenStacks({
+      '*': { template: {} },
+    });
+
+    const result = await deployments.stackExists({
+      stack: testStack({
+        stackName: 'boop',
+        properties: {
+          assumeRoleArn: 'deploy:${AWS::Region}:${AWS::AccountId}',
+          lookupRole: {
+            arn: 'lookup:${AWS::Region}:${AWS::AccountId}',
+          },
+        },
+      }),
+      tryLookupRole,
+    });
+
+    expect(result).toBeTruthy();
+    expect(mockForEnvironment).toHaveBeenCalledWith(expect.anything(), expect.anything(), expect.objectContaining({
+      assumeRoleArn: expectedRoleArn,
+    }));
+  });
+});
+
 function pushStackResourceSummaries(stackName: string, ...items: CloudFormation.StackResourceSummary[]) {
   if (!currentCfnStackResources[stackName]) {
     currentCfnStackResources[stackName] = [];
diff --git a/packages/aws-cdk/test/cdk-toolkit.test.ts b/packages/aws-cdk/test/cdk-toolkit.test.ts
index cabd1da365256..4c108ba418474 100644
--- a/packages/aws-cdk/test/cdk-toolkit.test.ts
+++ b/packages/aws-cdk/test/cdk-toolkit.test.ts
@@ -242,7 +242,6 @@ describe('readCurrentTemplate', () => {
 
     // THEN
     expect(flatten(stderrMock.mock.calls)).toEqual(expect.arrayContaining([
-      expect.stringMatching(/Could not assume bloop-lookup:here:123456789012/),
       expect.stringContaining("Bootstrap stack version '5' is required, found version '1'. To get rid of this error, please upgrade to bootstrap version >= 5"),
     ]));
     expect(requestedParameterName!).toEqual('/bootstrap/parameter');
@@ -259,7 +258,9 @@ describe('readCurrentTemplate', () => {
     // GIVEN
     mockCloudExecutable.sdkProvider.stubSSM({
       getParameter() {
-        throw new Error('not found');
+        const e: any = new Error('not found');
+        e.code = e.name = 'ParameterNotFound';
+        throw e;
       },
     });
     const cdkToolkit = new CdkToolkit({
@@ -277,7 +278,7 @@ describe('readCurrentTemplate', () => {
 
     // THEN
     expect(flatten(stderrMock.mock.calls)).toEqual(expect.arrayContaining([
-      expect.stringMatching(/Could not assume bloop-lookup:here:123456789012/),
+      expect.stringMatching(/SSM parameter.*not found./),
     ]));
     expect(mockForEnvironment.mock.calls.length).toEqual(3);
     expect(mockForEnvironment.mock.calls[0][2]).toEqual({
@@ -291,7 +292,7 @@ describe('readCurrentTemplate', () => {
   test('fallback to deploy role if forEnvironment throws', async () => {
     // GIVEN
     // throw error first for the 'prepareSdkWithLookupRoleFor' call and succeed for the rest
-    mockForEnvironment = jest.fn().mockImplementationOnce(() => { throw new Error('error'); })
+    mockForEnvironment = jest.fn().mockImplementationOnce(() => { throw new Error('TheErrorThatGetsThrown'); })
       .mockImplementation(() => { return { sdk: mockCloudExecutable.sdkProvider.sdk, didAssumeRole: true }; });
     mockCloudExecutable.sdkProvider.forEnvironment = mockForEnvironment;
     mockCloudExecutable.sdkProvider.stubSSM({
@@ -315,7 +316,7 @@ describe('readCurrentTemplate', () => {
     // THEN
     expect(mockCloudExecutable.sdkProvider.sdk.ssm).not.toHaveBeenCalled();
     expect(flatten(stderrMock.mock.calls)).toEqual(expect.arrayContaining([
-      expect.stringMatching(/Could not assume bloop-lookup:here:123456789012/),
+      expect.stringMatching(/TheErrorThatGetsThrown/),
     ]));
     expect(mockForEnvironment.mock.calls.length).toEqual(3);
     expect(mockForEnvironment.mock.calls[0][2]).toEqual({
@@ -350,10 +351,9 @@ describe('readCurrentTemplate', () => {
 
     // THEN
     expect(flatten(stderrMock.mock.calls)).toEqual(expect.arrayContaining([
-      expect.stringMatching(/Lookup role exists but was not assumed. Proceeding with default credentials./),
+      expect.stringMatching(/Lookup role.*was not assumed. Proceeding with default credentials./),
     ]));
     expect(mockCloudExecutable.sdkProvider.sdk.ssm).not.toHaveBeenCalled();
-    expect(mockForEnvironment.mock.calls.length).toEqual(3);
     expect(mockForEnvironment.mock.calls[0][2]).toEqual({
       assumeRoleArn: 'bloop-lookup:here:123456789012',
     });
@@ -1088,7 +1088,7 @@ describe('synth', () => {
       expect(stderrMock.mock.calls[1][0]).toContain(' ❌  Migrate failed for `cannot-generate-template`: CannotGenerateTemplateStack could not be generated because rust is not a supported language');
     });
 
-    cliTest('migrate succeeds for valid template from local path when no lanugage is provided', async (workDir) => {
+    cliTest('migrate succeeds for valid template from local path when no language is provided', async (workDir) => {
       const toolkit = defaultToolkitSetup();
       await toolkit.migrate({
         stackName: 'SQSTypeScript',
@@ -1102,7 +1102,7 @@ describe('synth', () => {
       expect(fs.pathExistsSync(path.join(workDir, 'SQSTypeScript', 'lib', 'sqs_type_script-stack.ts'))).toBeTruthy();
     });
 
-    cliTest('migrate succeeds for valid template from local path when lanugage is provided', async (workDir) => {
+    cliTest('migrate succeeds for valid template from local path when language is provided', async (workDir) => {
       const toolkit = defaultToolkitSetup();
       await toolkit.migrate({
         stackName: 'S3Python',
diff --git a/packages/aws-cdk/test/version.test.ts b/packages/aws-cdk/test/version.test.ts
index b743d0e8ed347..3c86b76fd0b85 100644
--- a/packages/aws-cdk/test/version.test.ts
+++ b/packages/aws-cdk/test/version.test.ts
@@ -3,6 +3,7 @@ import * as path from 'path';
 import { setTimeout as _setTimeout } from 'timers';
 import { promisify } from 'util';
 import * as fs from 'fs-extra';
+import * as os from 'os';
 import * as sinon from 'sinon';
 import * as logging from '../lib/logging';
 import * as npm from '../lib/util/npm';
@@ -16,6 +17,10 @@ function tmpfile(): string {
   return `/tmp/version-${Math.floor(Math.random() * 10000)}`;
 }
 
+beforeEach(() => {
+  process.chdir(os.tmpdir()); // Need a chdir because in the workspace 'npm view' will take a long time
+});
+
 afterEach(done => {
   sinon.restore();
   done();