(bootstrap): cannot remove permissions boundary for cfn execution role

[clueleaf]

Describe the bug

After bootstrapping with --custom-permissions-boundary option, it is not possible to remove the boundary attached to the CloudFormation execution role by bootstrapping again without --custom-permissions-boundary option.
Though adding a boundary from nothing or switching to another boundary is working fine.

Expected Behavior

CloudFormation execution role is updated without a permissions boundary.

Current Behavior

CloudFormation execution role is not updated.

Reproduction Steps

1. Bootstrap with permissions boundary.

cdk bootstrap --custom-permissions-boundary "my-boundary"

2. Bootstrap again without permissions boundary.

cdk bootstrap -v

Console log says it is switching boundaries but the deployment is skipped after all.

3. Even with --force option, role is not updated.

cdk bootstrap -v --force

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.61.1

Framework Version

No response

Node.js Version

18

OS

macOS Ventura

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Thanks for your report. I am making it p1 for more visibility.