Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support different service principals in China, GovCloud et. al. #1282

Closed
bnusunny opened this Issue Dec 4, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@bnusunny
Copy link

bnusunny commented Dec 4, 2018

I got the following error message while creating an ASG in China Ningxia region. The EC2 serivce principle in China regions should be 'ec2.amazonaws.com.cn'

  1/39 | 21:43:18 | CREATE_FAILED        | AWS::IAM::Role                        | onebox-asg/InstanceRole (oneboxasgInstanceRole26288590) Invalid principal in policy: "SERVICE":"ec2.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 8e9d0693-f7ca-11e8-9731-3bb893a602f3)
        new Role (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/node_modules/@aws-cdk/aws-iam/lib/role.js:21:22)
        \_ new AutoScalingGroup (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/node_modules/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.js:45:21)
        \_ new OneBoxStack (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/bin/infrastructure.js:33:21)
        \_ Object.<anonymous> (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/bin/infrastructure.js:51:1)
        \_ Module._compile (module.js:652:30)
        \_ Object.Module._extensions..js (module.js:663:10)
        \_ Module.load (module.js:565:32)
        \_ tryModuleLoad (module.js:505:12)
        \_ Function.Module._load (module.js:497:3)
        \_ Function.Module.runMain (module.js:693:10)
        \_ startup (bootstrap_node.js:188:16)
        \_ bootstrap_node.js:609:3
@rix0rrr

This comment has been minimized.

Copy link
Contributor

rix0rrr commented Dec 5, 2018

I've done some research into this, and there are interesting findings.

Services with a constant service principal:

  • sns.amazonaws.com
  • sqs.amazonaws.com

Services with a region-dependent service principal:

  • states.REGION.amazonaws.com

Services with a suffixed service principal:

  • lambda.amazonaws.com[.cn]
  • autoscaling.amazonaws.com[.cn]
  • application-autoscaling.amazonaws.com[.cn]
  • ec2.amazonaws.com[.cn]
  • events.amazonaws.com[.cn]

Services with region AND suffix:

  • logs.REGION.amazonaws.com[.cn]

Services that don't follow a substitution pattern:

  • codedeploy.amazonaws.com -> codedeploy.cn-north-1.amazonaws.com.cn

Our ECR image ID URL generator is also wrong, should be:

${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/REPO

We're going to have to use a lookup table somewhere in the core or IAM libraries.

@rix0rrr rix0rrr changed the title EC2 Service Principle is not correct in China regions Support different service principals in China, GovCloud et. al. Dec 5, 2018

@rix0rrr rix0rrr added the gap label Jan 4, 2019

@fulghum fulghum added large medium and removed large labels Jan 7, 2019

@rix0rrr rix0rrr referenced this issue Jan 15, 2019

Merged

feat(s3): export bucket websiteURL (#1521) #1544

3 of 3 tasks complete
@rix0rrr

This comment has been minimized.

Copy link
Contributor

rix0rrr commented Jan 15, 2019

Something else that depends on the region, the S3 bucket website URL has a different format depending on the region:

const suffix = cdk.Stack.find(this).urlSuffix
const region = cdk.Stack.find(this).region
const regionToSuffix = {
  'eu-west-1': `s3-website-eu-west-1.${suffix}`,
  // ...
  'us-west-1': `s3-website.us-west-1.${suffix}`
  // ...
}

return `${this.bucketName}.${regionToSuffix[region]}`;

See https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html

@RomainMuller

This comment has been minimized.

Copy link
Contributor

RomainMuller commented Feb 19, 2019

For the case of codedeploy.amazonaws.com, it appears that you can use codedeploy.amazonaws.com to mean "all supported endpoints [in partition]", or you can use codedeploy.<region>.amazonaws.com to mean "a specific endpoint".

RomainMuller added a commit that referenced this issue Mar 13, 2019

feat(region-info): Model region-specific information (#1839)
Information such as:
- is the AWS::CDK::Metadata resource supported in region?
- what is the S3 static website endpoint?
- how are service principals named?

Fixes #1282
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.