Aws-cdk: incorrect IAM Service Principal for Lambda in China regions
Hello,
The recent release includes support for IAM service principles for China regions. I did some tests using the CDK example repo. The Classic Load Balancer and Application Load Balancer examples worked without any issue. But when I tried custom-resource example, the deployment failed. Below is the error message:
Invalid principal in policy: "SERVICE":"lambda.amazonaws.com.cn"
I found out that the correct IAM service principal for Lambda in China regions is 'lambda.amazonaws.com'。
daf7d4f7304ee111e89c2dfa7ae01bbebcServiceRoleFE9ABB04) Invalid principal in policy: "SERVICE":"lambda.amazonaws.com.cn" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 4f413759-59fe-11e9-a3f0-1926a8616aab)
new Role (/Users/sunhua/Documents/Projects/github.com/aws-samples/aws-cdk-examples/typescript/custom-resource/node_modules/@aws-cdk/aws-iam/lib/role.js:24:22)
bnusunny
All 13 comments
I also collected the service principal information for China regions. You can access it on quip.
bnusunny
on 8 Apr 2019
@bnusunny Do you have this issue fixed? I came across same issue, tried to overide the principal with aws-cdk.region-info but got another error:
` # Fix lambda service principal issue
regionFact = regionInfo.IFact(region = 'cn-north-1',
name = regionInfo.FactName.service_principal('lambda'),
value = 'lambda.amazonaws.com'
)
regionInfo.Fact.register(regionFact, allow_replacing=True)`
Traceback (most recent call last):
File "app.py", line 9, in <module>
MyStack(app, "hello-cdk-1", env={'region': 'cn-north-1'})
File "/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/cdk-workshop/.env/lib/python3.6/site-packages/jsii/_runtime.py", line 66, in __call__
inst = super().__call__(*args, **kwargs)
File "/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/cdk-workshop/hello/hello_stack.py", line 16, in __init__
value = 'lambda.amazonaws.com'
File "/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/cdk-workshop/.env/lib/python3.6/site-packages/typing_extensions.py", line 1207, in _no_init
raise TypeError('Protocols cannot be instantiated')
TypeError: Protocols cannot be instantiated
Subprocess exited with error 1
EthanGao-oss
on 28 Jul 2019
@RomainMuller Can you help look into this issue, overriding lambda service principal in AWS China throws an error. Thanks.
EthanGao-oss
on 28 Jul 2019
Principal for Firehose is also wrong. I'm on 1.2.0, this problem is not fixed still.
dz902
on 29 Jul 2019
@EthanGao-oss no, this issue is not fixed yet. This pull request added support for aws china region. But it assumes all service principles in China regions follow the same pattern (end with 'amazonaws.com.cn'). Unfortunately, most of the service principles do not follow that pattern. The quip doc gives a very clear picture.
This has to be fixed. Otherwise, we won't be able to use CDK in China regions.
@RomainMuller @rix0rrr Can you please take a look on this issue?
bnusunny
on 30 Jul 2019
@EthanGao-oss Good news! I managed to get the overriding working!
You can find the code in this gist.
I will send a PR to fix @aws-cdk/region-info package.
bnusunny
on 31 Jul 2019
@bnusunny Thanks for the fix. I tried to override principal in cdk release 1.3.0. The same error still exsists, I assume that the fix is not merged yet?
EthanGao-oss
on 11 Aug 2019
Not yet. Still working on the PR. It touches many packages beyond region-info.
Best regards,
Harold Sun
On Aug 11, 2019, at 22:36, EthanGao-oss notifications@github.com wrote:
@bnusunny Thanks for the fix. I tried to override principal in cdk release 1.3.0. The same error still exsists, I assume that the fix is not merged yet?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
bnusunny
on 12 Aug 2019
@bnusunny after upgrading to aws-cdk 1.4.0, the problem seems still there when tried to override service principal.
`>>>region=region_info.RegionInfo.get('cn-northwest-1')
region.service_principal('lambda.amazonaws.com.cn')
'lambda.amazonaws.com.cn'
region.service_principal('lambda.amazonaws.com')
'lambda.amazonaws.com.cn'
region.service_principal('lambda')
'lambda.amazonaws.com.cn'
region_info.Fact.register(
... region_info.IFact({
... 'region': 'cn-northwest-1',
... 'name': region_info.FactName.service_principal('lambda.amazonaws.com.cn'),
... 'value': 'lambda.amazonaws.com',
... },
... allow_replacing=True
... )
... )
Traceback (most recent call last):
File "", line 7, in
File "/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/typing_extensions.py", line 1207, in _no_init
raise TypeError('Protocols cannot be instantiated')
`
With no overiding, the service role creation of Lambda failed.
1/6 | 1:56:54 PM | CREATE_FAILED | AWS::IAM::Role | BdoMetaStore/MetaDataHandler/ServiceRole (BdoMetaStoreMetaDataHandlerServiceRoleA2320EAF) Invalid principal in policy: "SERVICE":"lambda.amazonaws.com.cn" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: a63bcd05-bfea-11e9-a9eb-c529f6d7d382) new Role (/tmp/jsii-kernel-z4dLiB/node_modules/@aws-cdk/aws-iam/lib/role.js:35:22)
\_ new Function (/tmp/jsii-kernel-z4dLiB/node_modules/@aws-cdk/aws-lambda/lib/function.js:59:35)
\_ obj._wrapSandboxCode (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6666:49)
\_ Kernel._wrapSandboxCode (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7131:20)
\_ Kernel._create (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6666:26)
\_ Kernel.create (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6419:21)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6191:28)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ KernelHost.processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6233:16)
\_ KernelHost.run (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:14)
\_ processRequest (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6137:45)
\_ promise.then.val (/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:6218:21)
EthanGao-oss
on 16 Aug 2019
@EthanGao-oss the PR was not included in v1.4.0. Hopefully it will be in next release.
For now, you need to override the principal and specify the region when creating the stack.
// override lambda service principal for aws china beijing region
regionInfo.Fact.register({
region: 'cn-north-1',
name: regionInfo.FactName.servicePrincipal('lambda'),
value: 'lambda.amazonaws.com',
}, true /* Allow overriding information */);
const app = new cdk.App();
// must specify the region for the stack, otherwise the override will not work.
new LambdaCronStack(app, 'LambdaCronExample', { env: { region: 'cn-north-1' } });
@bnusunny Thanks but the overrides failed as showing "TypeError: Protocols cannot be instantiated".
From both TypeScript and Python API reference regionInfo. "regionInfo.Fact.register" requires IFact object as the parameter fact, but your sample code is using dict. Please help shed some light.
>>> new_fact=region_info.IFact(
... {
... 'region': 'cn-north-1',
... 'name': region_info.FactName.service_principal('lambda'),
... 'value': 'lambda.amazonaws.com',
... }
... )
Traceback (most recent call last):
File "<stdin>", line 5, in <module>
File "/mnt/c/Users/DELL/workspace/temp/aws-cdk-examples/python/bdo/.env/lib/python3.6/site-packages/typing_extensions.py", line 1207, in _no_init
raise TypeError('Protocols cannot be instantiated')
TypeError: Protocols cannot be instantiated
EthanGao-oss
on 17 Aug 2019
@EthanGao-oss IFact is a TypeScript interface. You can find its definition in TypeScript documents.
Interface is a structure that defines the contract in your application. It defines the syntax for classes to follow. Classes that are derived from an interface must follow the structure provided by their interface.
The TypeScript compiler does not convert interface to JavaScript. It uses interface for type checking. This is also known as "duck typing" or "structural subtyping".
Anyway, this issue is fixed in release v1.5.0. You don't need to override the IAM principal anymore.
bnusunny
on 25 Aug 2019
Great work👍. Already tried release v1.5.0, the service principal problem
is gone.
Harold Sun notifications@github.com 于2019年8月25日周日 上午10:54写道:
@EthanGao-oss https://github.com/EthanGao-oss IFact is a TypeScript
interface. You can find it definition in TypeScript documents.Interface is a structure that defines the contract in your application. It defines the syntax for classes to follow. Classes that are derived from an interface must follow the structure provided by their interface.
The TypeScript compiler does not convert interface to JavaScript. It uses interface for type checking. This is also known as "duck typing" or "structural subtyping".
Anyway, this PR is included in release v1.5.0. You don't need to override
the IAM principal anymore. :)—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-cdk/issues/2198?email_source=notifications&email_token=AMXM3XVWUHMWYYVJISVUX3TQGHX47A5CNFSM4HEJX4N2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5CLFPY#issuecomment-524595903,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMXM3XTS26S7EN5FQJYMHWLQGHX47ANCNFSM4HEJX4NQ
.
EthanGao-oss
on 26 Aug 2019
Related issues
artyom-melnikov
·
3Comments
schof
·
3Comments
cybergoof
·
3Comments
EduardTheThird
·
3Comments
v-do
·
3Comments
Most helpful comment
@EthanGao-oss Good news! I managed to get the overriding working!
You can find the code in this gist.
I will send a PR to fix @aws-cdk/region-info package.