Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ssm: service principals are incorrect for all regions since `ap-east-1`

See original GitHub issue

🐛 Bug Report

The Issue

iam.ServicePrincipal (https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/ServicePrincipal.html) offers a “region” parameter. Presumably this parameter is so you can say something like ssm.ap-us-east-1.amazonaws.com to be inclusive of regional-only service endpoints.

Such as the ones called out on this page: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html#systems-manager-inventory-resource-data-sync-AWS-Organizations

"Note

The Asia Pacific Region came online in April 25, 2019. If you create a resource data sync for an AWS Region that came online since the Asia Pacific (Hong Kong) Region (ap-east-1) or later, then you must enter a Region-specific service principal entry in the SSMBucketDelivery section. The following example includes a Region-specific service principal entry for ssm.ap-east-1.amazonaws.com."

However

Here is a snippet of CDK Python that results in some odd behavior:

        kmsKey = kms.Key(
            self,
            "S3-KMSKey",
        )

        kmsKey.add_to_resource_policy(
            statement=iam.PolicyStatement(
                sid="ssm-access-policy",
                conditions=[],
                effect=iam.Effect.ALLOW,
                actions=["kms:GenerateDataKey"],
                principals=[
                    iam.ServicePrincipal(service="ssm.amazonaws.com"),
                    iam.ServicePrincipal(
                        service="ssm.amazonaws.com", region="ap-east-1"
                    ),
                    iam.ServicePrincipal(service="ssm", region="ap-east-1"),
                ],
                resources=[kmsKey.key_arn],
            )
        )

That snippet uses ServicePrincipal three different ways, two of which should result in regional endpoints, and yet none of them do.

That snippet spits out something that looks like…

Resources:
  S3KMSKey26947010:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Statement:
          - Action: kms:*
            Effect: Allow
            Principal:
              AWS:
                Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - ":iam::"
                    - Ref: AWS::AccountId
                    - :root
            Resource: "*"
          - Action: kms:GenerateDataKey
            Effect: Allow
            Principal:
              Service:
                - ssm.amazonaws.com
                - ssm.amazonaws.com
                - ssm.amazonaws.com
            Resource:
              Fn::GetAtt:
                - S3KMSKey26947010
                - Arn
            Sid: ssm-access-policy
        Version: "2012-10-17"
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: SsmInventoryAthenaStack/S3-KMSKey/Resource

Notice that none of the Principal -> Service definitions have ‘ap-east-1’ in their URLs.

This might be related to these two issues: https://github.com/aws/aws-cdk/issues/2622 https://github.com/aws/aws-cdk/issues/2999

Where CDK was exclusively crafting regional endpoints

Environment

CDK CLI Version: 2.0.0-rc.17 (build fb5dc58)
Module Version: 2.0.0rc17 (I think, pulled from python’s Pipfile.lock for aws-cdk-libs)
Node.js Version: v14.17.1
OS: OSX
Language: Python

Issue Analytics

State:
Created 2 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

3reactions

adhorncommented, Dec 2, 2021

Workaround:

const ssmaAsgRole = new iam.Role(this, 'ssma-asg-role', {
        assumedBy: new iam.CompositePrincipal(
        new iam.ServicePrincipal('iam.amazonaws.com'),
        new iam.ServicePrincipal('ssm.amazonaws.com')
       )
});
const ssmaAsgRoleAsCfn = ssmaAsgRole.node.defaultChild as iam.CfnRole;
ssmaAsgRoleAsCfn.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Principal.Service', ['ssm.amazonaws.com', 'iam.amazonaws.com']);

2reactions

rix0rrrcommented, Dec 2, 2021

On further scouring of the docs, a CfnCondition combined with a Fn.if might do it. We would render something like:

Conditions:
  NoRegionNecessary:
    Fn::Or: 
      - Fn::Equals: [{ Ref: 'AWS::Region }, 'us-east-1']
      - Fn::Equals: [{ Ref: 'AWS::Region }, 'us-east-2']
      - Fn::Equals: [{ Ref: 'AWS::Region }, 'eu-west-1']
      ...

Resources:
  ... 
  Principal:
    Service: { Fn::If: [NoRegionNecessary, 'ssm.amazonaws.com', 'ssm.$REGION.amazonaws.com'] }

It wouldn’t be pretty in the JSON, but who looks at that anyway eh? 😇

Top Results From Across the Web

How do I use SSM Agent logs to troubleshoot issues with SSM ...

SSM Agent runs on your managed Amazon Elastic Compute Cloud (Amazon EC2) instance and processes requests from the AWS Systems Manager service.

@aws-cdk/region-info | Yarn - Package Manager

AWS region information, such as service principal names. aws, cdk ... All notable changes to this project will be documented in this file....

Cisco Intersight Workload Optimizer Target Configuration Guide

service principal target. To specify an Azure target, you provide the credentials for the subscription and Intersight Workload.

AWS Config - Developer Guide - CMMC Training Academy

S3 — Boto3 Docs 1.26.37 documentation - Amazon AWS

A low-level client representing Amazon Simple Storage Service (S3) ... After successfully uploading all relevant parts of an upload, you call this action...