Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

servicecatalog.PrincipalARN contains principal's unique ID, not ARN #3920

Closed
3 tasks done
YakDriver opened this issue May 20, 2021 · 6 comments
Closed
3 tasks done

servicecatalog.PrincipalARN contains principal's unique ID, not ARN #3920

YakDriver opened this issue May 20, 2021 · 6 comments
Assignees
Labels
closing-soon This issue will automatically close in 4 days unless further comments are made. guidance Question that needs advice or information.

Comments

@YakDriver
Copy link
Contributor

YakDriver commented May 20, 2021

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug
The API returns an IAM principal unique ID rather than an ARN in a field called PrincipalARN.

Version of AWS SDK for Go?
v1.38.43

Version of Go (go version)?
v1.16.3

To Reproduce (observed behavior)
Steps to reproduce the behavior (please share code or minimal repo)

(You'll need a pre-existing Service Catalog portfolio with an associated IAM principal.)

input := &servicecatalog.ListPrincipalsForPortfolioInput{
    PortfolioId: aws.String("port-enqt7hci7mkzq"), // existing ID
}

output, err := servicecatalog.ListPrincipalsForPortfolio(input)

if err != nil {
    return err
}

fmt.Printf("This is NOT an ARN: %s\n", aws.StringValue(output.Principals[0].PrincipalARN))
// sample output: This is NOT an ARN: AROAVGM2C4RRRYY2TLR7P

Expected behavior
This should output something like: This is NOT an ARN: arn:aws:iam::123456789012:user/Eleanor

Additional context
The input for the association (AssociatePrincipalWithPortfolioInput.PrincipalARN) requires an actual ARN and will give the following error if you attempt to pass a unique ID in.

InvalidParametersException: Input principal arn, AROAVGM2C4RRRYY2TLR7P, is incorrectly formatted: ARNs must start with 'arn:'
@KaibaLopez
Copy link
Contributor

Hi @YakDriver ,
I have just tested this and it works as expected, it will list the arn of the principal you've associated to the portfolio...So at this point I believe this is a problem with you protfolio setup?

I've tested associating the arn through the SDK and through CLI, and tested the list Principal api call on both as well, both giving the correct and expected behavior of printing the correct arn value.

@KaibaLopez KaibaLopez added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels May 28, 2021
@KaibaLopez KaibaLopez self-assigned this May 28, 2021
@KaibaLopez KaibaLopez added guidance Question that needs advice or information. and removed bug This issue is a bug. labels May 28, 2021
@YakDriver
Copy link
Contributor Author

The issue may be with newly created roles. If you create a role in code, and the code immediatley associates the role with a portfolio, and then immediately attempts to list the principals for the Portfolio, a unique ID comes back. With longer delays between these steps, the IAM service seems to catch up and ARNs are returned.

@YakDriver
Copy link
Contributor Author

I have been able to workaround this by retrying servicecatalog.ListPrincipalsForPortfolio() until it returns ARNs rather than unique IDs. Generally, within 10 seconds after role creation, the function returns ARNs rather than unique IDs.

@KaibaLopez
Copy link
Contributor

oh... there is no real pragmatic way to determine how long the role will take to propagate within the region. It should just take a few seconds, but honestly your workaround of retrying is as good as anything I can think of.

@KaibaLopez KaibaLopez added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed needs-reproduction This issue needs reproduction. labels Jun 2, 2021
@YakDriver
Copy link
Contributor Author

Sounds good. I've learned something and hopefully future travelers can find a solution here if they see the issue.

@github-actions
Copy link

github-actions bot commented Jun 4, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closing-soon This issue will automatically close in 4 days unless further comments are made. guidance Question that needs advice or information.
Projects
None yet
Development

No branches or pull requests

2 participants