AWS CDK Running `cdk synth` for Another Account

Question

When use AWS CDK to provision resources in an VPC, it requires me to specify AWS account and region through env environment variables. I have CLI access to my dev account, but no access to prod account. I would like to use cdk synth to generate cloudformation template for production account. To do that, I specifies the account ID in .env file. But cdk synth command returns me following error.

[Error at /whitespace-app-fargate/whitespace-app-fargate/FargateStack] Could not assume role in target account using current credentials (which are for account xxxxxxxx) User: arn:aws:iam::xxxxxxxxx:user/myqinjie is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyy:role/cdk-hnb659fds-lookup-role-yyyyyyyy-ap-southeast-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.

Is there a ways to run cdk synth to generate cloudformation template without validation?

Answer 1

It is not possible to run cdk synth against an account that you do not have access to.

You need use a role or user that has sufficient permissions to execute cdk synth against production account.

May I ask what is your usecase?

If you want to validate which resources will be created, you can run against your own account but use production stage and production region. The only thing different when effectively deploying to production will be the account.