Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support different service principals in China, GovCloud et. al. #1282

Closed
bnusunny opened this issue Dec 4, 2018 · 3 comments · Fixed by #1839 · May be fixed by MechanicalRock/account-reaper#6
Closed

Support different service principals in China, GovCloud et. al. #1282

bnusunny opened this issue Dec 4, 2018 · 3 comments · Fixed by #1839 · May be fixed by MechanicalRock/account-reaper#6
Assignees
Labels
@aws-cdk/aws-autoscaling Related to Amazon EC2 Auto Scaling bug This issue is a bug. effort/medium Medium work item – several days of effort

Comments

@bnusunny
Copy link
Contributor

bnusunny commented Dec 4, 2018

I got the following error message while creating an ASG in China Ningxia region. The EC2 serivce principle in China regions should be 'ec2.amazonaws.com.cn'

  1/39 | 21:43:18 | CREATE_FAILED        | AWS::IAM::Role                        | onebox-asg/InstanceRole (oneboxasgInstanceRole26288590) Invalid principal in policy: "SERVICE":"ec2.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 8e9d0693-f7ca-11e8-9731-3bb893a602f3)
        new Role (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/node_modules/@aws-cdk/aws-iam/lib/role.js:21:22)
        \_ new AutoScalingGroup (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/node_modules/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.js:45:21)
        \_ new OneBoxStack (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/bin/infrastructure.js:33:21)
        \_ Object.<anonymous> (/Users/sunhua/Documents/Projects/github.com/nwcdlabs/openshift-on-aws-cn/scripts/infrastructure/bin/infrastructure.js:51:1)
        \_ Module._compile (module.js:652:30)
        \_ Object.Module._extensions..js (module.js:663:10)
        \_ Module.load (module.js:565:32)
        \_ tryModuleLoad (module.js:505:12)
        \_ Function.Module._load (module.js:497:3)
        \_ Function.Module.runMain (module.js:693:10)
        \_ startup (bootstrap_node.js:188:16)
        \_ bootstrap_node.js:609:3
@rix0rrr rix0rrr added bug This issue is a bug. @aws-cdk/aws-autoscaling Related to Amazon EC2 Auto Scaling labels Dec 4, 2018
@rix0rrr
Copy link
Contributor

rix0rrr commented Dec 5, 2018

I've done some research into this, and there are interesting findings.

Services with a constant service principal:

  • sns.amazonaws.com
  • sqs.amazonaws.com

Services with a region-dependent service principal:

  • states.REGION.amazonaws.com

Services with a suffixed service principal:

  • lambda.amazonaws.com[.cn]
  • autoscaling.amazonaws.com[.cn]
  • application-autoscaling.amazonaws.com[.cn]
  • ec2.amazonaws.com[.cn]
  • events.amazonaws.com[.cn]

Services with region AND suffix:

  • logs.REGION.amazonaws.com[.cn]

Services that don't follow a substitution pattern:

  • codedeploy.amazonaws.com -> codedeploy.cn-north-1.amazonaws.com.cn

Our ECR image ID URL generator is also wrong, should be:

${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/REPO

We're going to have to use a lookup table somewhere in the core or IAM libraries.

@rix0rrr rix0rrr changed the title EC2 Service Principle is not correct in China regions Support different service principals in China, GovCloud et. al. Dec 5, 2018
@rix0rrr rix0rrr added the gap label Jan 4, 2019
@fulghum fulghum added effort/large Large work item – several weeks of effort effort/medium Medium work item – several days of effort and removed effort/large Large work item – several weeks of effort labels Jan 7, 2019
@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 15, 2019

Something else that depends on the region, the S3 bucket website URL has a different format depending on the region:

const suffix = cdk.Stack.find(this).urlSuffix
const region = cdk.Stack.find(this).region
const regionToSuffix = {
  'eu-west-1': `s3-website-eu-west-1.${suffix}`,
  // ...
  'us-west-1': `s3-website.us-west-1.${suffix}`
  // ...
}

return `${this.bucketName}.${regionToSuffix[region]}`;

See https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html

@RomainMuller
Copy link
Contributor

For the case of codedeploy.amazonaws.com, it appears that you can use codedeploy.amazonaws.com to mean "all supported endpoints [in partition]", or you can use codedeploy.<region>.amazonaws.com to mean "a specific endpoint".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-autoscaling Related to Amazon EC2 Auto Scaling bug This issue is a bug. effort/medium Medium work item – several days of effort
Projects
None yet
4 participants