To successfully bootstrap into an MCP account, we need to do the following:
- Dump the boostrap template to a local file:
npx cdk bootstrap --show-template > template.yaml
. Manually append a permission boundary to every role created within the template (seechange.diff
below). Use this updated template when deploying:npx cdk bootstrap --template template.yaml
- Use the custom permissions boundary flag:
--custom-permissions-boundary mcp-tenantOperator-APIG
- Disable setting the public access block configuration on the S3 assets bucket:
--public-access-block-configuration false
Putting it all together, bootstrapping will look something like this:
npx cdk bootstrap \