Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Support different service principals in China, GovCloud et. al. #1282
I got the following error message while creating an ASG in China Ningxia region. The EC2 serivce principle in China regions should be 'ec2.amazonaws.com.cn'
1/39 | 21:43:18 | CREATE_FAILED | AWS::IAM::Role | onebox-asg/InstanceRole (oneboxasgInstanceRole26288590) Invalid principal in policy: "SERVICE":"ec2.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 8e9d0693-f7ca-11e8-9731-3bb893a602f3) new Role (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/node_modules/@aws-cdk/aws-iam/lib/role.js:21:22) \_ new AutoScalingGroup (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/node_modules/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.js:45:21) \_ new OneBoxStack (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/bin/infrastructure.js:33:21) \_ Object.<anonymous> (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/bin/infrastructure.js:51:1) \_ Module._compile (module.js:652:30) \_ Object.Module._extensions..js (module.js:663:10) \_ Module.load (module.js:565:32) \_ tryModuleLoad (module.js:505:12) \_ Function.Module._load (module.js:497:3) \_ Function.Module.runMain (module.js:693:10) \_ startup (bootstrap_node.js:188:16) \_ bootstrap_node.js:609:3
I've done some research into this, and there are interesting findings.
Services with a constant service principal:
Services with a region-dependent service principal:
Services with a suffixed service principal:
Services with region AND suffix:
Services that don't follow a substitution pattern:
Our ECR image ID URL generator is also wrong, should be:
We're going to have to use a lookup table somewhere in the core or IAM libraries.
Something else that depends on the region, the S3 bucket website URL has a different format depending on the region: