-
-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specific addServicePrincipal methods for services #55
Comments
Hi @akefirad, the method Floyd though provides other methods for adding principals. For a service principal there is const policy = new statement.Sns()
.allow()
.toPublish()
.onTopic(myTopic)
.forService('ses.amazonaws.com') Alternatively you can also directly use CDK principals: const policy = new statement.Sns()
.allow()
.toPublish()
.onTopic(myTopic)
.forCdkPrincipal(
new iam.ServicePrincipal('ses.amazonaws.com')
) Implementing something like you envision (e.g. But yeah, I agree, it would be cool to have this functionality. In fact, looking up the service domains for principals is one of the rare cases where I still have to go to the AWS IAM docs. Cheers, |
Good point. Thanks for the code snippet. |
Reading through that first link... things seem quite complicated. Some service principals vary based on region and partition while most are not... Examples:
This all seesm to be very random. If we would ignore all the variations... we might be able to generate a list that covers most principals. We already have all AWS managed polciies in our codebase and can generate a list 203 domains that look like they can be used as principals: $ grep -rhoE '[^[:space:],;"'\''/*]+\.amazonaws\.com' docs/source/_static/managed-policies/ | sort | uniq -c | sort -nr
58 ec2.amazonaws.com
23 cloudformation.amazonaws.com
21 autoscaling.amazonaws.com
20 ssm.amazonaws.com
20 securitylake.amazonaws.com
16 launchwizard.amazonaws.com
16 events.amazonaws.com
15 lambda.amazonaws.com
15 elasticloadbalancing.amazonaws.com
15 backup.amazonaws.com
14 sagemaker.amazonaws.com
13 glue.amazonaws.com
12 spot.amazonaws.com
12 rds.amazonaws.com
11 ecs.amazonaws.com
11 drs.amazonaws.com
11 codeguru-reviewer.amazonaws.com
11 cleanrooms.amazonaws.com
10 elasticbeanstalk.amazonaws.com
9 sso.amazonaws.com
9 lexv2.amazonaws.com
9 devops-guru.amazonaws.com
9 application-autoscaling.amazonaws.com
8 robomaker.amazonaws.com
8 mgn.amazonaws.com
8 elasticmapreduce.amazonaws.com
8 application-insights.amazonaws.com
7 spotfleet.amazonaws.com
7 lex.amazonaws.com
7 lakeformation.amazonaws.com
7 dataexchange.amazonaws.com
6 servicecatalog-appregistry.amazonaws.com
6 imagebuilder.amazonaws.com
6 ecs-tasks.amazonaws.com
6 docdb-elastic.amazonaws.com
6 continuousexport.discovery.amazonaws.com
6 config-conforms.amazonaws.com
6 cloud9.amazonaws.com
6 channels.lexv2.amazonaws.com
5 servicequotas.amazonaws.com
5 securityhub.amazonaws.com
5 schemas.amazonaws.com
5 reporting.trustedadvisor.amazonaws.com
5 ram.amazonaws.com
5 iot.amazonaws.com
5 fsx.amazonaws.com
5 fms.amazonaws.com
5 codepipeline.amazonaws.com
4 vpc-lattice.amazonaws.com
4 sqlworkbench.amazonaws.com
4 sagemaker.application-autoscaling.amazonaws.com
4 resource-explorer-2.amazonaws.com
4 replication.lexv2.amazonaws.com
4 macie.amazonaws.com
4 iotsitewise.amazonaws.com
4 dynamodb.application-autoscaling.amazonaws.com
4 delivery.logs.amazonaws.com
4 cloudtrail.amazonaws.com
4 channels.lex.amazonaws.com
4 cassandra.application-autoscaling.amazonaws.com
4 braket.amazonaws.com
4 auditmanager.amazonaws.com
4 appflow.amazonaws.com
4 apidestinations.events.amazonaws.com
3 scraper.aps.amazonaws.com
3 scheduler.amazonaws.com
3 s3.data-source.lustre.fsx.amazonaws.com
3 remediation.config.amazonaws.com
3 redshift.amazonaws.com
3 proton.amazonaws.com
3 profile.amazonaws.com
3 pipes.amazonaws.com
3 nimble.amazonaws.com
3 neptune-graph.amazonaws.com
3 kafka.amazonaws.com
3 inspector.amazonaws.com
3 greengrass.amazonaws.com
3 events.workmail.amazonaws.com
3 detective.amazonaws.com
3 databrew.amazonaws.com
3 cost-optimization-hub.bcm.amazonaws.com
3 connect.amazonaws.com
3 cognito-identity.amazonaws.com
3 appsync.amazonaws.com
3 apprunner.amazonaws.com
3 acm.amazonaws.com
2 wafv2.amazonaws.com
2 transitgateway.amazonaws.com
2 transfer.amazonaws.com
2 sync.proton.amazonaws.com
2 ssm-sap.amazonaws.com
2 smsintegration.migrationhub.amazonaws.com
2 s3.amazonaws.com
2 restore-testing.backup.amazonaws.com
2 replication.cassandra.amazonaws.com
2 refactor-spaces.amazonaws.com
2 redshift-data.amazonaws.com
2 qldb.amazonaws.com
2 panorama.amazonaws.com
2 osis.amazonaws.com
2 orgsdatasync.servicecatalog.amazonaws.com
2 organizations.amazonaws.com
2 omics.amazonaws.com
2 mq.amazonaws.com
2 migrationhub.amazonaws.com
2 migrationhub-strategy.amazonaws.com
2 migrationhub-orchestrator.amazonaws.com
2 memorydb.amazonaws.com
2 managedupdates.elasticbeanstalk.amazonaws.com
2 malware-protection.guardduty.amazonaws.com
2 maintenance.elasticbeanstalk.amazonaws.com
2 license-manager.member-account.amazonaws.com
2 license-management.marketplace.amazonaws.com
2 iotroborunner.amazonaws.com
2 health.amazonaws.com
2 guardduty.amazonaws.com
2 globalaccelerator.amazonaws.com
2 forecast.amazonaws.com
2 firehose.amazonaws.com
2 email.cognito-idp.amazonaws.com
2 elasticache.amazonaws.com
2 eks-connector.amazonaws.com
2 ec2fleet.amazonaws.com
2 ec2.application-autoscaling.amazonaws.com
2 dmsintegration.migrationhub.amazonaws.com
2 dax.amazonaws.com
2 custom.rds.amazonaws.com
2 custom.rds-preview.amazonaws.com
2 controltower.amazonaws.com
2 config-multiaccountsetup.amazonaws.com
2 cognito-idp.amazonaws.com
2 cognito-identity-us-gov.amazonaws.com
2 codebuild.amazonaws.com
2 codeartifact.amazonaws.com
2 cleanrooms-ml.amazonaws.com
2 chime.amazonaws.com
2 bugbust.amazonaws.com
2 bedrock.amazonaws.com
2 assets.marketplace.amazonaws.com
2 appstream.application-autoscaling.amazonaws.com
2 appmesh.amazonaws.com
2 application-signals.cloudwatch.amazonaws.com
2 appfabric.amazonaws.com
2 a4b.amazonaws.com
1 vmie.amazonaws.com
1 synthetics.amazonaws.com
1 support.amazonaws.com
1 states.amazonaws.com
1 sms.amazonaws.com
1 shield.amazonaws.com
1 servicecatalog.amazonaws.com
1 sagemaker-geospatial.amazonaws.com
1 rum.amazonaws.com
1 resource-groups.amazonaws.com
1 replication.ecr.amazonaws.com
1 replication.dynamodb.amazonaws.com
1 rds.application-autoscaling.amazonaws.com
1 personalize.amazonaws.com
1 permission.iq.amazonaws.com
1 partnercentral-account-management.amazonaws.com
1 opsworks.amazonaws.com
1 networkmanager.amazonaws.com
1 network-firewall.amazonaws.com
1 monitron.amazonaws.com
1 medical-imaging.amazonaws.com
1 mediaconvert.amazonaws.com
1 lookoutmetrics.amazonaws.com
1 lookoutequipment.amazonaws.com
1 lightsail.amazonaws.com
1 kinesisreplication.dynamodb.amazonaws.com
1 kendra.amazonaws.com
1 inspector2.amazonaws.com
1 healthlake.amazonaws.com
1 grafana.amazonaws.com
1 frauddetector.amazonaws.com
1 fis.amazonaws.com
1 events.managedservices.amazonaws.com
1 event-processor.health.amazonaws.com
1 entityresolution.amazonaws.com
1 elastictranscoder.amazonaws.com
1 elasticfilesystem.amazonaws.com
1 eks.amazonaws.com
1 ecs.application-autoscaling.amazonaws.com
1 ec2scheduled.amazonaws.com
1 ec2fastlaunch.amazonaws.com
1 ds.amazonaws.com
1 datazonecontrol.amazonaws.com
1 datazone.amazonaws.com
1 datasync.amazonaws.com
1 credentials.iot.amazonaws.com
1 contributorinsights.dynamodb.amazonaws.com
1 contract.iq.amazonaws.com
1 config.amazonaws.com
1 codeguru-security.amazonaws.com
1 codeguru-profiler.amazonaws.com
1 codecatalyst.amazonaws.com
1 codecatalyst-runner.amazonaws.com
1 budgets.amazonaws.com
1 batch.amazonaws.com
1 athena.amazonaws.com
1 aps.amazonaws.com
1 apigateway.amazonaws.com
1 access-analyzer.amazonaws.com I am not too deep into that principal businiess, so I don't know if it makes sense for these to be available as service principals. Unfortunaeltey... the Service you seem to care about (SES) is not covered in any AWS managed policy, so it's not in that list... ;) |
Hm, Thanks. Missing a few cases should be fine. As long as we have a consistent way of regenerating the list. Not sure how this piece is being generated, just wanted to make sure it’s not gonna break between releases. I kinda like this feature, but it can also wait. We can come back later when there’s a better solution. Up to you 🙂 |
The list comes from greping through the body of all AWS managed policies. I have a GitHub workflow that fetches all managed policies from the IAM service every night. As AWS managed policies are updated almost daily, there's a chance the known principals might disappear, especially those which are only found once across all policies. We could set this up to only add new and never remove from our cached list. But then we might collect a number of typos over time. 🤔 We can also use the gist as a(n additional) source. The gist has now been periodically updated for years and appears to be a well known resource. But I really cannot judge the quality. It's community driven and as there's no way for the maintainer to verify the suggestions from the comments... it just feels not right to generate code from random user comments. I would really like this feature too, but there seems to be just no good way to do it, since AWS fails to document this properly and it's all just guesswork. But yeah, we're not yet GA, so it's still room for experiments. 😅 |
Makes sense. Feel free to close this or put it on hold. Thanks. |
Is there any plan to support this? For example:
Any help you need with this?
BTW: what's the reason
addServicePrincipal
returnsvoid
and notthis
?The text was updated successfully, but these errors were encountered: