iam.ServicePrincipal injects region into Principal string

[KingOfPoptart]

Describe the bug
When using new iam.ServicePrincipal() - the CloudFormation that is output injects the region into the Principal and there doesn't seem to be an option to disable this behavior.

To Reproduce

# Create a service principal, point it to "codedeploy.amazonaws.com"
new iam.Role(this, 'IamRoleWithServicePrincipal', {
    assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
    managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole',
        'arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS'],
    roleName: 'myrole'
});

# This is what gets output from cdk synth - Note that `Ref: AWS::Region` 
# gets included as part of the Service Principal
Resources:
  myroleD153DA9E:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                Fn::Join:
                  - ""
                  - - codedeploy.
                    - Ref: AWS::Region
                    - "."
                    - Ref: AWS::URLSuffix
        Version: "2012-10-17"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
        - arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS
      RoleName: myrole

Expected behavior
The default should be to not inject the region into the principal in the properties passed into new iam.ServicePrincipal(). An option to add that in might be useful for some cases, but I don't think it should be the default.

Version:

• OS: OSX
• Programming Language: Typescript
• CDK Version: 0.31.0

[rix0rrr]

What region or what workflow is this breaking for you?

[KingOfPoptart]

This was breaking setting up codedeploy in the console - i couldn't set the role created in CDK as the instance profile role in the console since it didn't expect it to be regionalized

[RomainMuller]

But are you able to use the role properly, say when you're deploying everything via CloudFormation?

I'm wondering if this is a console issue instead of a CDK issue :)

[KingOfPoptart]

Yeah but not having the flexibility to determine if the region gets injected is at minimum a gap in features

…

On Thu, Jun 20, 2019, 8:18 AM Romain Marcadier-Muller < ***@***.***> wrote: But are you able to use the role properly, say when you're deploying everything via CloudFormation? I'm wondering if this is a console issue instead of a CDK issue :) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2622>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABMOQZB2WNH3534AZJNHZ4LP3ONURANCNFSM4HPIRGVA> .

[RomainMuller]

@KingOfPoptart - I'm not sure I agree here. One of our tenets is to issue least-privilege permissions only, and tightening the role down to the region where it's supposed to operate seems to be the right thing to do here.

If you have a concrete use-case where you need to grant the "region-global" principal permissions here... Then that'd be a feature request, not a bug.

[KingOfPoptart]

Sure - I'm happy to switch this to a feature request instead. By default, I agree, it should be locked down. But having the option to open it up is also valid.

[KingOfPoptart]

Opened #2999

Going to close this issue.