docs(ec2): update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals
#29512
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ncipal in VPCEService `allowedPrincipals` `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`.
github-actions
bot
added
beginning-contributor
aws-cdk-automation
previously requested changes
Mar 15, 2024
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
7e11
changed the title
aws-ec2 README to include workaround for using a service pri…aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals (#29478)
7e11
changed the title
aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals (#29478)aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
lpizzinidev
suggested changes
Mar 16, 2024
There was a problem hiding this comment.
Thanks 👍
Can you please add test coverage for this scenario for both unit and integration tests?
Comment on lines
1055
to
1056
| To include a service principal in the `allowedPrincipals`, there is a workaround where you can use a service principal string as input to the `ArnPrincipal` type. The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list. | ||
| ```ts |
There was a problem hiding this comment.
Suggested change
| To include a service principal in the `allowedPrincipals`, there is a workaround where you can use a service principal string as input to the `ArnPrincipal` type. The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list. | |
| ```ts | |
| You can also include a service principal in the `allowedPrincipals` property by specifying it as a parameter to the `ArnPrincipal` constructor. | |
| The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list. | |
| ```ts |
There was a problem hiding this comment.
I'll make this change in the revision that includes the tests.
aws-cdk-automation
removed
the
pr/needs-community-review
|
Will do |
GavinZZ
reviewed
Mar 18, 2024
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@Mergifyio update |
❌ Mergify doesn't have permission to updateFor security reasons, Mergify can't update this pull request. Try updating locally. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-maintainer-review
paulhcsun
approved these changes
Mar 21, 2024
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
jun1-t
pushed a commit
to jun1-t/aws-cdk
that referenced
this pull request
Mar 23, 2024
…service principal in VPCEService `allowedPrincipals` (aws#29512) `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`. ### Issue aws#29478 Closes aws#29478 ### Reason for this change `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap. I brought this up in aws#29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation. ### Description of changes Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`. ### Description of how you validated changes N/A - minor documentation changes only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
ahammond
pushed a commit
to ahammond/aws-cdk
that referenced
this pull request
Mar 26, 2024
…service principal in VPCEService `allowedPrincipals` (aws#29512) `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`. ### Issue aws#29478 Closes aws#29478 ### Reason for this change `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap. I brought this up in aws#29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation. ### Description of changes Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`. ### Description of how you validated changes N/A - minor documentation changes only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
VpcEndpointServicehas the memberallowedPrincipalswhich is of typeArnPrincipal[]. However,ServicePrincipalis also valid and works in the AWS console. This documentation update includes a workaround for including service principals in theallowedPrincipals.Issue #29478
Closes #29478
Reason for this change
VpcEndpointServicehas the memberallowedPrincipalswhich is of typeArnPrincipal[]. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the typeServicePrincipalinallowedPrincipalsin CDK. This is a feature gap.I brought this up in #29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation.
Description of changes
Documentation update for the
aws-ec2module which includes a workaround for including service principals in theallowedPrincipals.Description of how you validated changes
N/A - minor documentation changes only
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license