monocdk/aws-iam: Issue when creating role with assumedBy Elastic MapReduce ServicePrincipal in CN regions

[aoguo64]

Describe the bug

Hello team,

We encountered an issue when create role that trust ElasticSearch ServicePrincipal in CN regions:

 this.serviceRole = new Role(this, 'EMRServiceRole', {
      roleName: '...',
      assumedBy: (region === 'cn-north-1' || region === 'cn-northwest-1') ?
          new ServicePrincipal('elasticmapreduce.amazonaws.com.cn') :
          new ServicePrincipal('elasticmapreduce.amazonaws.com'),
      managedPolicies: [
        ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonElasticMapReduceRole'),
        ManagedPolicy.fromAwsManagedPolicyName('AmazonS3FullAccess')
      ]
    })


    this.jobFlowRole = new Role(this, 'EMRJobFlowRole', {
      roleName: '...',
      assumedBy: (region === 'cn-north-1' || region === 'cn-northwest-1') ?
          new ServicePrincipal('ec2.amazonaws.com.cn') :
          new ServicePrincipal('ec2.amazonaws.com'),
      managedPolicies: [
        ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonElasticMapReduceforEC2Role'),
        ManagedPolicy.fromAwsManagedPolicyName('AmazonS3FullAccess')
      ]
    })

However, CDK building generates templates for CN regions (cn-north-1 and cn-northwest-1) like below:

For the first role:

...

"Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "elasticmapreduce.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        },
...

For the second role:

...
"Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com.cn"
              }
            }
          ],
          "Version": "2012-10-17"
        },
...

Note in above generated template, the second role has the EC2's service principal with suffix .cn, while in the first role EMR's doesn't.

I guess this is because CDK dynamically resolve the service principal through ServicePrincipal during build time. However, this behavior differs for ECS and EMR and we do need elasticmapreduce.amazonaws.com.cn as the trusted entity of role in the first role.

Could you please help clarify if this is a bug in CDK or we are not using as expected?

Also another observation is that, if we append something random at the end of EMR's service principal in our code (like new ServicePrincipal('elasticmapreduce.amazonaws.com.cnabc123')), the template generated will have exact what we put instead of overriding it to elasticmapreduce.amazonaws.com:

...
"Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "elasticmapreduce.amazonaws.com.cnabc123" <<<<<< 
              }
            }
...

Expected Behavior

Service principal elasticmapreduce.amazonaws.com.cn should be attached to the role in the generated template for CN regions.

Current Behavior

Service principal elasticmapreduce.amazonaws.com.cn should be attached to the role in the generated template for CN regions but it has been overridden to elasticmapreduce.amazonaws.com

Reproduction Steps

Same as in description above.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

CDKBuild-2.x

Framework Version

No response

Node.js Version

NodeJS = 12.x

OS

Linux/macOS

Language

Typescript

Language Version

No response

Other information

No response

[RomainMuller]

This is likely because elasticmapreduce isn't properly configured in:

aws-cdk/packages/@aws-cdk/region-info/lib/default.ts

Lines 37 to 118 in 4f3a340

	function determineConfiguration(service: string): (service: string, region: string, urlSuffix: string) => string {
	function universal(s: string) { return `${s}.amazonaws.com`; }
	function partitional(s: string, _: string, u: string) { return `${s}.${u}`; }
	function regional(s: string, r: string) { return `${s}.${r}.amazonaws.com`; }
	function regionalPartitional(s: string, r: string, u: string) { return `${s}.${r}.${u}`; }
	// Exceptions for Service Principals in us-iso-*
	const US_ISO_EXCEPTIONS = new Set([
	'cloudhsm',
	'config',
	'states',
	'workspaces',
	]);
	// Account for idiosyncratic Service Principals in `us-iso-*` regions
	if (region.startsWith('us-iso-') && US_ISO_EXCEPTIONS.has(service)) {
	switch (service) {
	// Services with universal principal
	case ('states'):
	return universal;
	// Services with a partitional principal
	default:
	return partitional;
	}
	}
	// Exceptions for Service Principals in us-isob-*
	const US_ISOB_EXCEPTIONS = new Set([
	'dms',
	'states',
	]);
	// Account for idiosyncratic Service Principals in `us-isob-*` regions
	if (region.startsWith('us-isob-') && US_ISOB_EXCEPTIONS.has(service)) {
	switch (service) {
	// Services with universal principal
	case ('states'):
	return universal;
	// Services with a partitional principal
	default:
	return partitional;
	}
	}
	switch (service) {
	// SSM turned from global to regional at some point
	case 'ssm':
	return before(region, RULE_SSM_PRINCIPALS_ARE_REGIONAL)
	? universal
	: regional;
	// CodeDeploy is regional+partitional in CN, only regional everywhere else
	case 'codedeploy':
	return region.startsWith('cn-')
	? regionalPartitional
	// ...except in the isolated regions, where it's universal
	: (region.startsWith('us-iso') ? universal : regional);
	// Services with a regional AND partitional principal
	case 'logs':
	return regionalPartitional;
	// Services with a regional principal
	case 'states':
	return regional;
	// Services with a partitional principal
	case 'ec2':
	return partitional;
	// Services with a universal principal across all regions/partitions (the default case)
	default:
	return universal;
	}
	};
	const configuration = determineConfiguration(serviceName);
	return configuration(serviceName, region, urlSuffix);
	}

[aoguo64]

As CDK team suggested we shouldn't tune service principal based on region manually, while ServicePrincipal class should handle this automatically based on the region it deploys. However, we have our code like below:

    this.serviceRole = new Role(this, 'EMRServiceRole', {
      roleName: '......',
      assumedBy: new ServicePrincipal('elasticmapreduce.amazonaws.com'),
      managedPolicies: [
        ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonElasticMapReduceRole'),
        ManagedPolicy.fromAwsManagedPolicyName('AmazonS3FullAccess')
      ]
    })

    this.jobFlowRole = new Role(this, 'EMRJobFlowRole', {
      roleName: '......',
      assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
      managedPolicies: [
        ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonElasticMapReduceforEC2Role'),
        ManagedPolicy.fromAwsManagedPolicyName('AmazonS3FullAccess')
      ]
    })

The behavior stays the same, the generated template is still using elasticmapreduce.amazonaws.com for EMR Service Principal and using ec2.amazonaws.com.cn for EC2 in CN regions.

[RomainMuller]

According to the information I see in internal systems, elasticmapreduce.amazonaws.com is a valid service principal name for EMR in the aws-cn partition (I also see elasticmapreduce.amazonaws.com.cn in the list though)... Does that principal not work (deployment fails / permissions are not applied), or are you just surprised by the value?

[aoguo64]

elasticmapreduce.amazonaws.com does not work in our case, we are using a role trusting EMR's service principal to dial up a cluster but failed with the cluster simply marked as "Terminated with errors - internal error" and there is no log in CN regions (usually there are some logs dumped into S3 in other successful regions). We tried updating the role in IAM on our non-prod stage manually to bypass the CDK build and deploy for verification purpose and the cluster dialed up successfully.

See this [internal post]LINK REDACTED regarding the same situation we have (using service principal with .cn suffix works)

[aoguo64]

Following up with this issue, do we have any updates on it?

[peterwoodworth]

We're working on a fix 🙂 #20014