Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

incorrect IAM Service Principal for Lambda in China regions

See original GitHub issue

Hello,

The recent release includes support for IAM service principles for China regions. I did some tests using the CDK example repo. The Classic Load Balancer and Application Load Balancer examples worked without any issue. But when I tried custom-resource example, the deployment failed. Below is the error message:

Invalid principal in policy: “SERVICE”:“lambda.amazonaws.com.cn”

I found out that the correct IAM service principal for Lambda in China regions is ‘lambda.amazonaws.com’。

daf7d4f7304ee111e89c2dfa7ae01bbebcServiceRoleFE9ABB04) Invalid principal in policy: "SERVICE":"lambda.amazonaws.com.cn" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 4f413759-59fe-11e9-a3f0-1926a8616aab)
        new Role (/Users/sunhua/Documents/Projects/github.com/aws-samples/aws-cdk-examples/typescript/custom-resource/node_modules/@aws-cdk/aws-iam/lib/role.js:24:22)

Issue Analytics

State:
Created 4 years ago
Comments:13 (6 by maintainers)

Top GitHub Comments

3reactions

bnusunnycommented, Jul 31, 2019

@EthanGao-oss Good news! I managed to get the overriding working!

You can find the code in this gist.

I will send a PR to fix @aws-cdk/region-info package.

0reactions

EthanGao-osscommented, Aug 26, 2019

Great work👍. Already tried release v1.5.0, the service principal problem is gone.

Harold Sun notifications@github.com 于2019年8月25日周日上午10:54写道：

@EthanGao-oss https://github.com/EthanGao-oss IFact is a TypeScript interface. You can find it definition in TypeScript documents.

Interface is a structure that defines the contract in your application. It defines the syntax for classes to follow. Classes that are derived from an interface must follow the structure provided by their interface.

The TypeScript compiler does not convert interface to JavaScript. It uses interface for type checking. This is also known as “duck typing” or “structural subtyping”.

Anyway, this PR is included in release v1.5.0. You don’t need to override the IAM principal anymore. 😃

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/2198?email_source=notifications&email_token=AMXM3XVWUHMWYYVJISVUX3TQGHX47A5CNFSM4HEJX4N2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5CLFPY#issuecomment-524595903, or mute the thread https://github.com/notifications/unsubscribe-auth/AMXM3XTS26S7EN5FQJYMHWLQGHX47ANCNFSM4HEJX4NQ .