aws-iam: service principal name mismatch in CN partition #31767
Description
Describe the bug
hey folks, we have a CDK stack that currently create an IAM role that does this:
assumedBy: new ServicePrincipal("elasticmapreduce.amazonaws.com"),
(this uses iam.ServicePrincipal)
when we upgrade our CDK version, infrastructure that uses this role starts failing being able to create EMR clusters in CN partition because we noticed that the role changes from elasticmapreduce.amazonaws.com.cn to elasticmapreduce.amazonaws.com. this seems related to this CDK change that removes "deprecated SP mappings" . i am trying to work around this by creating a temporary mapping for EMR, so i explicitly specify the endpoint like so:
assumedBy: new ServicePrincipal("elasticmapreduce.amazonaws.com.cn"),
but when i run cdk diff against my CN stack i see this:
[-] "Service": {
[-] "Fn::Join": [
[-] "",
[-] [
[-] "elasticmapreduce.",
[-] {
[-] "Ref": "AWS::URLSuffix"
[-] }
[-] ]
[-] ]
[-] }
[+] "Service": "elasticmapreduce.amazonaws.com"
why does it ignore the name? i see in the cdk file it says the format should still be supported.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
the cdk version in our CN regions is ~2.130.0, we are trying to upgrade to ~2.150.0
Expected Behavior
I expected that specifying elasticmapreduce.amazonaws.com.cn on ServicePrincipal to put that same string into the created iam role.
Current Behavior
Specifying elasticmapreduce.amazonaws.com.cn on ServicePrincipal gets translated to elasticmapreduce.amazonaws.com in the iam role.
Reproduction Steps
repro steps:
create an iam role with trust relationship to service principal elasticmapreduce.amazonaws.com.cn in a CN region.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.158.0
Framework Version
No response
Node.js Version
^20.11.22
OS
amazon linux
Language
TypeScript
Language Version
^5.3.3
Other information
No response