From 5ef3be5b5da8653614c75613337429c2a85b86fb Mon Sep 17 00:00:00 2001
From: Parker Scanlon <69879391+scanlonp@users.noreply.github.com>
Date: Thu, 11 Jul 2024 17:47:01 -0700
Subject: [PATCH] chore: add condition to bootstrap file publish role (#30823)

Adds a condition to restrict s3 permissions on the file publish role.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index 6d4ec2323efbd..dace6e7977a4a 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -377,6 +377,10 @@ Resources:
             Resource:
               - Fn::Sub: "${StagingBucket.Arn}"
               - Fn::Sub: "${StagingBucket.Arn}/*"
+            Condition:
+              StringEquals:
+                aws:ResourceAccount:
+                  - Fn::Sub: ${AWS::AccountId}
             Effect: Allow
           - Action:
               - kms:Decrypt
@@ -619,7 +623,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '20'
+      Value: '21'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack