Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow option to not inject region into iam.ServicePrincipal's Principal String

See original GitHub issue

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository’s issues are intended for feature requests and bug reports.

I’m submitting a …
- 🪲 bug report
- 🚀 feature request
- 📚 construct library gap
- ☎️ security issue or vulnerability => Please see policy
- ❓ support request => Please see note at the top of this template.
What is the current behavior? If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

When using new iam.ServicePrincipal() - the CloudFormation that is output injects the region into the Principal and there is no option to disable this behavior.

# Create a service principal, point it to "codedeploy.amazonaws.com"
new iam.Role(this, 'IamRoleWithServicePrincipal', {
    assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
    managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole',
        'arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS'],
    roleName: 'myrole'
});



# This is what gets output from cdk synth - Note that `Ref: AWS::Region` 
# gets included as part of the Service Principal
Resources:
  myroleD153DA9E:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                Fn::Join:
                  - ""
                  - - codedeploy.
                    - Ref: AWS::Region
                    - "."
                    - Ref: AWS::URLSuffix
        Version: "2012-10-17"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
        - arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS
      RoleName: myrole

What is the expected behavior (or behavior of feature suggested)?

There should be an optional parameter to not inject the region into the principal in the properties passed into new iam.ServicePrincipal().

What is the motivation / use case for changing the behavior or adding this feature?

Sometimes the console ignores roles with this region set in specific scenarios (certain CodeDeploy stuff). It is also useful to give devs the option to have this flexibility

Please tell us about your environment:
- CDK CLI Version: 0.35.0
- Module Version: 0.35.0
- OS: OSX
- Language: TypeScript
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

This expands on the discussion here https://github.com/awslabs/aws-cdk/issues/2622

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

james-portmancommented, Mar 15, 2021

Here is an example of why it’s an issue, if you don’t believe the two of us, https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html In this example AWS specify to use “delivery.logs.amazonaws.com” as the service principal, NOT something like “delivery.logs.eu-west-1.amazonaws.com” with the region in

0reactions

melnikalexcommented, Aug 5, 2022

would like to re-open this as well, or get any suggestions for workarounds