Skip to content

fix(route53): add vpce:AllowMultiRegion permission to VpcEndpointServiceDomainName #36221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(route53): add vpce:AllowMultiRegion permission to VpcEndpointServiceDomainName #36221

wants to merge 2 commits into from
+1,775 −235

Conversation

@tiagoq
Copy link

@tiagoq tiagoq commented Nov 26, 2025

Fixes #36216

When using VpcEndpointServiceDomainName with a VpcEndpointService that has cross-region PrivateLink enabled via allowedRegions, the custom resource Lambda fails with:

User is not authorized to perform: ec2:ModifyVpcEndpointServiceConfiguration on resource: 
arn:aws:ec2:...:vpc-endpoint-service/vpce-svc-... 
because no identity-based policy allows the vpce:AllowMultiRegion action.

This PR adds the vpce:AllowMultiRegion permission to the custom resource policy. The permission is always included since:

  1. It's scoped to the specific VPC endpoint service resource
  2. It doesn't grant excessive privileges when cross-region is not enabled
  3. It avoids the complexity of conditional logic or additional props

Changes

  • Modified packages/aws-cdk-lib/aws-route53/lib/vpc-endpoint-service-domain-name.ts:
    • Added aws-iam import
    • Changed AwsCustomResourcePolicy.fromSdkCalls() to AwsCustomResourcePolicy.fromStatements() for the EnableDns custom resource
    • Added both ec2:ModifyVpcEndpointServiceConfiguration and vpce:AllowMultiRegion actions to the policy
  • Added unit test in packages/aws-cdk-lib/aws-route53/test/vpc-endpoint-service-domain-name.test.ts

Testing

cd packages/aws-cdk-lib
yarn test aws-route53

All 264 tests pass.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Nov 26, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 26, 2025 22:08
aws-cdk-automation
aws-cdk-automation requested changes Nov 26, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Nov 26, 2025
@pahud pahud mentioned this pull request Nov 26, 2025
Open
@tiagoq tiagoq force-pushed the fix/vpc-endpoint-service-domain-name-cross-region branch from c64db56 to 892f005 Compare November 26, 2025 23:24
@tiagoq tiagoq mentioned this pull request Nov 26, 2025
Open
1 task
@pahud pahud mentioned this pull request Nov 27, 2025
Open
fix(route53): add vpce:AllowMultiRegion permission to VpcEndpointServ…
ed4df80 
…iceDomainName

When using VpcEndpointServiceDomainName with a VpcEndpointService that has
cross-region PrivateLink enabled via allowedRegions, the custom resource
Lambda fails because the IAM policy is missing the vpce:AllowMultiRegion
permission.

This change updates the EnableDns custom resource to use an explicit policy
with both ec2:ModifyVpcEndpointServiceConfiguration and vpce:AllowMultiRegion
permissions, scoped to the specific VPC endpoint service resource.

Fixes aws#36216
@tiagoq tiagoq force-pushed the fix/vpc-endpoint-service-domain-name-cross-region branch from 892f005 to ed4df80 Compare November 27, 2025 16:02
@aws-cdk-automation aws-cdk-automation removed the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Nov 27, 2025
@github-actions github-actions bot mentioned this pull request Dec 1, 2025
Open
@pahud
Copy link
Contributor

pahud commented Dec 1, 2025
edited
Loading

For some reason, it's blocked by this. I am hitting the update branch button and see if it unblocks itself.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

@aws-cdk-automation aws-cdk-automation added pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. and removed pr/reviewer-clarification-requested The contributor has requested clarification on feedback, a failing build, or a failing PR Linter run labels Dec 1, 2025
@pahud pahud removed the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Dec 1, 2025
@pahud
Copy link
Contributor

pahud commented Dec 1, 2025
edited
Loading

OK looks like the linter expects this PR to have change on integ.vpc-endpoint-service-domain-name.ts but actually it's not necessary. Let's add a Exemption Request to unblock this.

@aws-cdk-automation aws-cdk-automation added pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Dec 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation Awaiting requested review from aws-cdk-automation

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-route53: VpcEndpointServiceDomainName missing vpce:AllowMultiRegion permission for cross-region PrivateLink

3 participants

@tiagoq @pahud @aws-cdk-automation