fix(cdk-lib): Pass lookupRoleArn to NestedStackSynthesizer

packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts

@@ -344,6 +344,13 @@ export class DefaultStackSynthesizer extends StackSynthesizer implements IReusab
     return this.qualifier;
   }
 
+  /**
+   * The role used to lookup for this stack
+   */
+  public get lookupRole(): string | undefined {
+    return this.lookupRoleArn;
+  }
+
   public bind(stack: Stack): void {
     super.bind(stack);
 

packages/aws-cdk-lib/core/lib/stack-synthesizers/nested.ts

@@ -19,6 +19,10 @@ export class NestedStackSynthesizer extends StackSynthesizer {
     return this.parentDeployment.bootstrapQualifier;
   }
 
+  public get lookupRole(): string | undefined {
+    return this.parentDeployment.lookupRole;
+  }
+
   public addFileAsset(asset: FileAssetSource): FileAssetLocation {
     // Forward to parent deployment. By the magic of cross-stack references any parameter
     // returned and used will magically be forwarded to the nested stack.
@@ -34,6 +38,6 @@ export class NestedStackSynthesizer extends StackSynthesizer {
   public synthesize(session: ISynthesisSession): void {
     // Synthesize the template, but don't emit as a cloud assembly artifact.
     // It will be registered as an S3 asset of its parent instead.
-    this.synthesizeTemplate(session);
+    this.synthesizeTemplate(session, this.lookupRole);
   }
 }

packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts

@@ -28,6 +28,13 @@ export abstract class StackSynthesizer implements IStackSynthesizer {
     return undefined;
   }
 
+  /**
+   * The role used to lookup for this stack
+   */
+  public get lookupRole(): string | undefined {
+    return undefined;
+  }
+
   private _boundStack?: Stack;
 
   /**

packages/aws-cdk-lib/core/lib/stack-synthesizers/types.ts

@@ -13,6 +13,13 @@ export interface IStackSynthesizer {
    */
   readonly bootstrapQualifier?: string;
 
+  /**
+   * The role used to lookup for this stack
+   *
+   * @default - no role
+   */
+  readonly lookupRole?: string;
+
   /**
    * Bind to the stack this environment is going to be used on
    *

packages/aws-cdk-lib/core/test/stack-synthesis/new-style-synthesis.test.ts

@@ -2,7 +2,7 @@ import * as fs from 'fs';
 import * as cxschema from '../../../cloud-assembly-schema';
 import { ArtifactType } from '../../../cloud-assembly-schema';
 import * as cxapi from '../../../cx-api';
-import { App, Aws, CfnResource, ContextProvider, DefaultStackSynthesizer, FileAssetPackaging, Stack } from '../../lib';
+import { App, Aws, CfnResource, ContextProvider, DefaultStackSynthesizer, FileAssetPackaging, Stack, NestedStack } from '../../lib';
 import { ISynthesisSession } from '../../lib/stack-synthesizers/types';
 import { evaluateCFN } from '../evaluate-cfn';
 
@@ -15,6 +15,7 @@ const CFN_CONTEXT = {
 describe('new style synthesis', () => {
   let app: App;
   let stack: Stack;
+  let nestedStack: NestedStack;
 
   beforeEach(() => {
     app = new App({
@@ -187,6 +188,24 @@ describe('new style synthesis', () => {
 
   });
 
+  test('nested Stack uses the lookup role ARN of the parent stack', () => {
+    // GIVEN
+    const myapp = new App();
+    const mystack = new Stack(myapp, 'mystack', {
+      synthesizer: new DefaultStackSynthesizer({
+        generateBootstrapVersionRule: false,
+      }),
+      env: {
+        account: '111111111111', region: 'us-east-1',
+      },
+    });
+    nestedStack = new NestedStack(mystack, 'nestedStack');
+
+    // THEN
+    expect(nestedStack.synthesizer.lookupRole).toEqual('arn:${AWS::Partition}:iam::111111111111:role/cdk-hnb659fds-lookup-role-111111111111-us-east-1');
+
+  });
+
   test('add file asset', () => {
     // WHEN
     const location = stack.synthesizer.addFileAsset({