route53: CrossAccountZoneDelegationRecord broken in opt-in regions #23081

rix0rrr · 2022-11-25T10:23:27Z

Describe the bug

The changes introduced in #22370 (in response to #22022) seem to have broken some internal Amazon customers.

The STS AssumeRole call now fails because the target account is not opted in to the region.

It seems Route53 is a global (partitional) service so there is only one endpoint.

Original motivation for the change

The original motivation for the change seems to have been:

In our case, this was due to our use of a global service principal in the delegation role's trust policy, and opt-in accounts are not visible in such a service principal. One possible workaround is to add either regional service principals or opt-in account IDs directly to the trust policy, but this is not desirable as it requires updating the delegation role for each new opt-in region.

The response to this was to change the endpoints to regional, but that may have been a premature fix.

The original reporter was an AWS employee, capable of creating their own Service Principals, and they were using Service Principals in the trust policy. External customers would be using an Organization ID or Account number here.

We need to revert this.

This is a revert of #22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases. - *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region. - *It broke the case of*: all teams that didn't have both accounts opted into the region. The second case is much more common, so revert to the old behavior. Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior. Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers. Fixes #23081.

This is a revert of #22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases. - *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region. - *It broke the case of*: all teams that didn't have both accounts opted into the region. The second case is much more common, so revert to the old behavior. Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior. Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers. Fixes #23081. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2022-11-28T11:31:16Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…23082) This is a revert of aws#22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases. - *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region. - *It broke the case of*: all teams that didn't have both accounts opted into the region. The second case is much more common, so revert to the old behavior. Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior. Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers. Fixes aws#23081. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

rix0rrr added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2022

github-actions bot added the @aws-cdk/aws-route53 Related to Amazon Route 53 label Nov 25, 2022

github-actions bot assigned comcalvi Nov 25, 2022

rix0rrr mentioned this issue Nov 25, 2022

fix(route53): cross-account delegation broken in opt-in regions #23082

Merged

peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 26, 2022

mergify bot closed this as completed in #23082 Nov 28, 2022

tim-finnigan mentioned this issue Feb 15, 2023

route53: CrossAccountZoneDelegationRecord does not work in aws-iso(-b) partitions #23948

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

route53: CrossAccountZoneDelegationRecord broken in opt-in regions #23081

route53: CrossAccountZoneDelegationRecord broken in opt-in regions #23081

rix0rrr commented Nov 25, 2022 •

edited

github-actions bot commented Nov 28, 2022

route53: CrossAccountZoneDelegationRecord broken in opt-in regions #23081

route53: CrossAccountZoneDelegationRecord broken in opt-in regions #23081

Comments

rix0rrr commented Nov 25, 2022 • edited

Describe the bug

Original motivation for the change

github-actions bot commented Nov 28, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

rix0rrr commented Nov 25, 2022 •

edited