Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@aws-cdk/aws-iam: ServicePrincipal generates an invalid principal in policy, MalformedPolicyDocument

See original GitHub issue

What is the problem?

While creating a role with a principal, the default region is used (the region from the stack) or a specified region. That generates a regional principal endpoint, which looks like is not the case for SSM and other services I suppose. That makes the CloudFormation process fail, stating that is an invalid IAM principal in the policy.

I’m open this in the @aws-cdk/aws-iam, where I found the issue, but maybe this is a CloudFormation or incompatibility?

Reproduction Steps

const lambdaRole = new iam.Role(this.scope, 'MyRole', {
  assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
  roleName: 'my-role',
});

Generated CloudFormation:

{
    "MyRoleA6F33B68": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": {
                  "Fn::Join": [
                    "",
                    [
                      "ssm.",
                      {
                        "Ref": "AWS::Region"
                      },
                      ".amazonaws.com"
                    ]
                  ]
                }
              }
            }
          ],
          "Version": "2012-10-17"
        }
      }
    }
}

What did you expect to happen?

Successful deployment with cdk deploy

What actually happened?

cdk deploy

UPDATE_FAILED	Invalid principal in policy: “SERVICE”:“ssm.eu-west-1.amazonaws.com” (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 5763050d-c789-49ef-b7d7-9e80a62f0e9e; Proxy: null)

CDK CLI Version

1.133.0

Framework Version

No response

Node.js Version

v14.15.4

OS

MacOs Monterey 12.0.1 (21A559)

Language

Typescript

Language Version

Typescript (4.5.2)

Other information

There is a workaround for that:

const lambdaRole = new iam.Role(this.scope, 'MyRole', {
      assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
      roleName: 'my-role',
    });
    const lambdaRoleAsCfn = lambdaRole.node.defaultChild as iam.CfnRole;
    // Workaround: Invalid principal in policy: "SERVICE":"ssm.eu-west-1.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
    // eslint-disable-next-line max-len
    lambdaRoleAsCfn.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Principal.Service', 'ssm.amazonaws.com');

With this, the deployment works.

Issue Analytics

State:
Created 2 years ago
Reactions:5
Comments:8 (2 by maintainers)

Top GitHub Comments

2reactions

richard-olsoncommented, Nov 29, 2021

I couldn’t use the region-info override in Python either.

I could have been doing it totally wrong, but I couldn’t figure out how to create an object that implemented the IFACT protocol, so I created my own class (doco and passed in an object from that class instead. This passed syntax checks but but didn’t work.

In the end I used an escape hatch which looks ugly but works.

### This does work
cfn_role = role.node.default_child
cfn_role.add_property_override("AssumeRolePolicyDocument.Statement.0.Principal.Service.1", "ssm.amazonaws.com")

### This didn't work
@jsii.implements(region_info.IFact)
class MyFact:
    def __init__(self, name, region, value):
        self.name = name
        self.region = region
        self.value = value

role = iam.Role(
        scope,
        "MyRole",
        assumed_by=iam.CompositePrincipal(
            iam.ServicePrincipal("ec2.amazonaws.com"),
            iam.ServicePrincipal("ssm.amazonaws.com"),
        )
    <snip>
    )

ssm_principal = MyFact(
    name=region_info.FactName.service_principal(
            "ssm"
        ),
        region="ap-southeast-2",
        value="ssm.amazonaws.com"
)

region_info.Fact.register(
        fact=ssm_principal,
        allow_replacing=True
    )

1reaction

djessupcommented, Dec 8, 2021

This worked for me:

regionInfo.Fact.register({
    region: Aws.REGION,
    name: regionInfo.FactName.servicePrincipal('ssm.amazonaws.com'),
    value: 'ssm.amazonaws.com',
})