Describe the bug
When using new iam.ServicePrincipal() - the CloudFormation that is output injects the region into the Principal and there doesn't seem to be an option to disable this behavior.
To Reproduce
# Create a service principal, point it to "codedeploy.amazonaws.com"
new iam.Role(this, 'IamRoleWithServicePrincipal', {
assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
managedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole',
'arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS'],
roleName: 'myrole'
});# This is what gets output from cdk synth - Note that `Ref: AWS::Region`
# gets included as part of the Service Principal
Resources:
myroleD153DA9E:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
Fn::Join:
- ""
- - codedeploy.
- Ref: AWS::Region
- "."
- Ref: AWS::URLSuffix
Version: "2012-10-17"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
- arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS
RoleName: myroleExpected behavior
The default should be to not inject the region into the principal in the properties passed into new iam.ServicePrincipal(). An option to add that in might be useful for some cases, but I don't think it should be the default.
Version:
- OS: OSX
- Programming Language: Typescript
- CDK Version: 0.31.0
Describe the bug
When using
new iam.ServicePrincipal()- the CloudFormation that is output injects the region into the Principal and there doesn't seem to be an option to disable this behavior.To Reproduce
Expected behavior
The default should be to not inject the region into the principal in the properties passed into
new iam.ServicePrincipal(). An option to add that in might be useful for some cases, but I don't think it should be the default.Version: