@aws-cdk/aws-iam: ServicePrincipal generates an invalid principal in policy, MalformedPolicyDocument #17646
Description
What is the problem?
While creating a role with a principal, the default region is used (the region from the stack) or a specified region. That generates a regional principal endpoint, which looks like is not the case for SSM and other services I suppose. That makes the CloudFormation process fail, stating that is an invalid IAM principal in the policy.
I'm open this in the @aws-cdk/aws-iam, where I found the issue, but maybe this is a CloudFormation or incompatibility?
Reproduction Steps
const lambdaRole = new iam.Role(this.scope, 'MyRole', {
assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
roleName: 'my-role',
});Generated CloudFormation:
{
"MyRoleA6F33B68": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"ssm.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
}
}What did you expect to happen?
Successful deployment with cdk deploy
What actually happened?
cdk deploy| UPDATE_FAILED | Invalid principal in policy: "SERVICE":"ssm.eu-west-1.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 5763050d-c789-49ef-b7d7-9e80a62f0e9e; Proxy: null) |
|---|
CDK CLI Version
1.133.0
Framework Version
No response
Node.js Version
v14.15.4
OS
MacOs Monterey 12.0.1 (21A559)
Language
Typescript
Language Version
Typescript (4.5.2)
Other information
There is a workaround for that:
const lambdaRole = new iam.Role(this.scope, 'MyRole', {
assumedBy: new iam.ServicePrincipal('ssm.amazonaws.com'),
roleName: 'my-role',
});
const lambdaRoleAsCfn = lambdaRole.node.defaultChild as iam.CfnRole;
// Workaround: Invalid principal in policy: "SERVICE":"ssm.eu-west-1.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
// eslint-disable-next-line max-len
lambdaRoleAsCfn.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Principal.Service', 'ssm.amazonaws.com');With this, the deployment works.