-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-iam: service principal name mismatch in CN partition #31767
Comments
actually - based on this - should I be moving to use |
@jy19 , thanks for reaching out. Parsing through the recent CDK Changes, it seems that this change- I am not able to repro this due to access rights but sure, please give it a try and see if that works. |
i changed the call pattern to:
but unfortunately still see the same issue |
Internal Ticket reference- V1549524507 |
Irrespectively of the observed failure, the service principal appears to be documented as https://docs.amazonaws.cn/en_us/emr/latest/ManagementGuide/emr-iam-role.html |
Thanks @jy19 for raising this issue. Unfortunately, I am not able to reproduce this issue. This is the sample application I am using to reproduce this issue:
and this is the CFN template for the generated service role:
The stack created successfully, and the EMR cluster started, created EC2 instances, and then terminated successfully. Could you please retry the deployment from your side, and if it is still failing, please share the code of your CDK app so we can replicate the issue. |
### Issue # (if applicable) Closes #31767 ### Reason for this change To add a function that allow customers to create ServicePrinciple construct using custom name as an escape hatch if some service is using principle name that does not follow the IAM recommended pattern which is `<service>.amazonaws.com` ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https:/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https:/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
hey folks, we have a CDK stack that currently create an IAM role that does this:
assumedBy: new ServicePrincipal("elasticmapreduce.amazonaws.com"),
(this uses
iam.ServicePrincipal
)when we upgrade our CDK version, infrastructure that uses this role starts failing being able to create EMR clusters in CN partition because we noticed that the role changes from
elasticmapreduce.amazonaws.com.cn
toelasticmapreduce.amazonaws.com
. this seems related to this CDK change that removes "deprecated SP mappings" . i am trying to work around this by creating a temporary mapping for EMR, so i explicitly specify the endpoint like so:assumedBy: new ServicePrincipal("elasticmapreduce.amazonaws.com.cn"),
but when i run cdk diff against my CN stack i see this:
why does it ignore the name? i see in the cdk file it says the format should still be supported.
Regression Issue
Last Known Working CDK Version
the cdk version in our CN regions is ~2.130.0, we are trying to upgrade to ~2.150.0
Expected Behavior
I expected that specifying
elasticmapreduce.amazonaws.com.cn
onServicePrincipal
to put that same string into the created iam role.Current Behavior
Specifying
elasticmapreduce.amazonaws.com.cn
onServicePrincipal
gets translated toelasticmapreduce.amazonaws.com
in the iam role.Reproduction Steps
repro steps:
create an iam role with trust relationship to service principal
elasticmapreduce.amazonaws.com.cn
in a CN region.Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.158.0
Framework Version
No response
Node.js Version
^20.11.22
OS
amazon linux
Language
TypeScript
Language Version
^5.3.3
Other information
No response
The text was updated successfully, but these errors were encountered: