Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: some custom resources don't work in opt-in regions #22370

Merged
merged 9 commits into from
Oct 10, 2022
Merged

fix: some custom resources don't work in opt-in regions #22370

merged 9 commits into from
Oct 10, 2022

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Oct 5, 2022
edited
Loading

By default, the STS client is using the global STS endpoint, and tokens it returns are not valid in opt-in regions.

Affects EKS, Route53, AwsCustomResource.

Fixes #22022.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
fix: some custom resources don't work in opt-in regions
d95cd4d 
By default, the STS client is using the global STS endpoint, and tokens
it returns are not valid in opt-in regions.

Fixes #22022.
@rix0rrr rix0rrr requested a review from a team October 5, 2022 16:24
@gitpod-io
Copy link

gitpod-io bot commented Oct 5, 2022

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 5, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team October 5, 2022 16:50
@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 labels Oct 5, 2022
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 5, 2022
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@rix0rrr rix0rrr added pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Oct 6, 2022
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 6, 2022 12:07

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

Naumel
Naumel reviewed Oct 7, 2022
View reviewed changes
Copy link
Contributor

@Naumel Naumel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks fine, the failing build does not; I'll wait for that one before I approve 👍

Naumel
Naumel approved these changes Oct 10, 2022
View reviewed changes
Copy link
Contributor

@Naumel Naumel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🌐

@Naumel
Copy link
Contributor

Naumel commented Oct 10, 2022

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Oct 10, 2022

update

✅ Branch has been successfully updated

@mergify
Copy link
Contributor

mergify bot commented Oct 10, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

1 similar comment
@mergify
Copy link
Contributor

mergify bot commented Oct 10, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 6590742
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 456a2c7 into main Oct 10, 2022
@mergify mergify bot deleted the huijbers/regional-sts branch October 10, 2022 14:58
@mergify
Copy link
Contributor

mergify bot commented Oct 10, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@rix0rrr rix0rrr mentioned this pull request Nov 25, 2022
Closed
rix0rrr added a commit that referenced this pull request Nov 25, 2022
@rix0rrr
fix(route53): cross-account delegation broken in opt-in regions
ba930bc 
This is a revert of #22370. The fix proposed there solved one very
specific (but rare) use case, in exchange for breaking common use cases.

- *It fixed the case of*: AWS service authors using their own global
  service principal in the delegation role, with both source and target
  account opted into the region.
- *It broke the case of*: all teams that didn't have both accounts opted
  into the region.

The second case is much more common, so revert to the old behavior.

Since the regional behavior might still be useful to *some* people
somewhere, it has been relegated to a context key,
`@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be
configured, but is not advertised as 99.9% of users will not need
this behavior.

Since both STS and Route53 are global and regular customers cannot
usefully use Service Principals in this particular trust policy anyway,
there is no impact to regular customers.

Fixes #23081.
@rix0rrr rix0rrr mentioned this pull request Nov 25, 2022
Merged
mergify bot pushed a commit that referenced this pull request Nov 28, 2022
@rix0rrr
fix(route53): cross-account delegation broken in opt-in regions (#23082)
5ba35e4 
This is a revert of #22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases.

- *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region.
- *It broke the case of*: all teams that didn't have both accounts opted into the region.

The second case is much more common, so revert to the old behavior.

Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior.

Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers.

Fixes #23081.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this pull request Dec 9, 2022
@rix0rrr
fix(route53): cross-account delegation broken in opt-in regions (aws#…
33fe359 
…23082)

This is a revert of aws#22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases.

- *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region.
- *It broke the case of*: all teams that didn't have both accounts opted into the region.

The second case is much more common, so revert to the old behavior.

Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior.

Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers.

Fixes aws#23081.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this pull request Jan 20, 2023
@rix0rrr
fix(route53): cross-account delegation broken in opt-in regions (aws#…
8deffc7 
…23082)

This is a revert of aws#22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases.

- *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region.
- *It broke the case of*: all teams that didn't have both accounts opted into the region.

The second case is much more common, so revert to the old behavior.

Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior.

Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers.

Fixes aws#23081.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this pull request Feb 22, 2023
@rix0rrr
fix(route53): cross-account delegation broken in opt-in regions (aws#…
eba83a6 
…23082)

This is a revert of aws#22370. The fix proposed there solved one very specific (but rare) use case, in exchange for breaking common use cases.

- *It fixed the case of*: AWS service authors using their own global service principal in the delegation role, with both source and target account opted into the region.
- *It broke the case of*: all teams that didn't have both accounts opted into the region.

The second case is much more common, so revert to the old behavior.

Since the regional behavior might still be useful to *some* people somewhere, it has been relegated to a context key, `@aws-cdk/aws-route53:useRegionalStsEndpoint`, instead. It can be configured, but is not advertised as 99.9% of users will not need this behavior.

Since both STS and Route53 are global and regular customers cannot usefully use Service Principals in this particular trust policy anyway, there is no impact to regular customers.

Fixes aws#23081.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Naumel Naumel Naumel approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-test The PR linter will not require test changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use STS regional endpoints for STS calls from resource providers
3 participants
@rix0rrr @Naumel @aws-cdk-automation