Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws-iam.ServicePrincipal: No Longer Translating Endpoints for GovCloud #31905

Closed
1 task done
quantumew opened this issue Oct 25, 2024 · 2 comments
Closed
1 task done

aws-cdk-lib/aws-iam.ServicePrincipal: No Longer Translating Endpoints for GovCloud #31905

quantumew opened this issue Oct 25, 2024 · 2 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p1 potential-regression Marking this issue as a potential regression to be checked by team member response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@quantumew
Copy link
Contributor

Describe the bug

I have a service sitting on CDK 2.140.0, works fine, when using service principal to allow our StateMachine to assume a role we created, ServicePrincipal properly uses the URI that is correct for Gov Cloud: "states.us-gov-west-1.amazonaws.com". After upgrading CDK, it stops translating "states.amazonaws.com" to the correct URI. Is this intentional? Do we need to update our code? This was a handy feature, getting the correct URI from service principal for our region, wanted to make sure it wasn't remove unintentionally.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.140.0

Expected Behavior

ServicePrincipal translates input to the correct URI for states in gov cloud.

Current Behavior

ServicePrincipal uses the commercial cloud URI for states.

Reproduction Steps

Create a role

new Role(this, 'StepFunctionRole', {
  roleName: `some-test`,
  description: `Execution role for step function`,
  assumedBy: new ServicePrincipal('states.amazonaws.com')
})

This previously resulted in:

{
       Action: 'sts:AssumeRole',
       Effect: 'Allow',
       Principal: { Service: 'states.us-gov-west-1.amazonaws.com' }
}

Now it results in:

{
      Action: 'sts:AssumeRole',
      Effect: 'Allow',
      Principal: { Service: 'states.amazonaws.com' }
}

Possible Solution

I admittedly haven't cracked the code, so not sure on this one.

Additional Information/Context

No response

CDK CLI Version

2.140.0

Framework Version

No response

Node.js Version

18.20.4

OS

Same regardless of OS

Language

TypeScript

Language Version

4.8.3

Other information

No response
@quantumew quantumew added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2024
@github-actions github-actions bot added potential-regression Marking this issue as a potential regression to be checked by team member @aws-cdk/aws-iam Related to AWS Identity and Access Management labels Oct 25, 2024
@ashishdhingra
Copy link
Contributor

@quantumew Good morning. Thanks for reporting the issue. The change was perhaps introduced in commit where it removed the legacy behavior and always now uses new standardized behavior. Similar issue was reported in #31767. The workaround provided is to use iam.ServicePrincipal.fromStaticServicePrincipleName() (e.g. iam.ServicePrincipal.fromStaticServicePrincipleName('states.us-gov-west-1.amazonaws.com')) to mitigate the issue.

Please confirm:

  • If new standardized behavior Principal: { Service: 'states.amazonaws.com' } works for you?
  • If new standardized behavior doesn't work, could you please try using workaround iam.ServicePrincipal.fromStaticServicePrincipleName('states.us-gov-west-1.amazonaws.com') for your use case?

Thanks,
Ashish

@ashishdhingra ashishdhingra added p1 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2024
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Oct 27, 2024
This was referenced Oct 28, 2024
Closed
Closed
@github-actions github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Nov 1, 2024
@github-actions github-actions bot closed this as completed Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p1 potential-regression Marking this issue as a potential regression to be checked by team member response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quantumew @ashishdhingra