-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-ec2): VpcEndpointService allowedPrincipals has type of ArnPrincipal[]
, but should also support the ServicePrincipal
type
#29478
Comments
ArnPrincipal[]
, but should also support ServicePrincipal
ArnPrincipal[]
, but should also support the ServicePrincipal
type
The principals passed in will generate AllowedPrincipals in VPCEndpointServicePermissions, which literally accept any format of principals. aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts Lines 127 to 130 in 87139ab
We can't make it either ArnPrincipal type or ServicePrincipal type in CDK. I guess we need to document what we should do when we are assigning a service principal to it. And it could be the workaround you provided. I'll request the team for more input on this. And let me know if you have any further thoughts. |
Hi @7e11, after investigation, I think you're right that although the documentation specifically mentions arn principal, the console doesn't stop you from using service principals. I agree with Pahud's suggestion on adding the workaround to README documentation. Since this is an issue with potential workaround, I think marking this issue as |
Gotcha -- so because using SPs is a bit of an undocumented feature, we can't alter the construct to accept other principal types. I'll update the readme soon. |
…service principal in VPCEService `allowedPrincipals` (#29512) `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`. ### Issue #29478 Closes #29478 ### Reason for this change `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap. I brought this up in #29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation. ### Description of changes Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`. ### Description of how you validated changes N/A - minor documentation changes only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…service principal in VPCEService `allowedPrincipals` (aws#29512) `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`. ### Issue aws#29478 Closes aws#29478 ### Reason for this change `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap. I brought this up in aws#29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation. ### Description of changes Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`. ### Description of how you validated changes N/A - minor documentation changes only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…service principal in VPCEService `allowedPrincipals` (aws#29512) `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, `ServicePrincipal` is also valid and works in the AWS console. This documentation update includes a workaround for including service principals in the `allowedPrincipals`. ### Issue aws#29478 Closes aws#29478 ### Reason for this change `VpcEndpointService` has the member `allowedPrincipals` which is of type `ArnPrincipal[]`. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the type `ServicePrincipal` in `allowedPrincipals` in CDK. This is a feature gap. I brought this up in aws#29478, and was told that the type couldn't be changed, but the workaround I was using could be added to the documentation. ### Description of changes Documentation update for the `aws-ec2` module which includes a workaround for including service principals in the `allowedPrincipals`. ### Description of how you validated changes N/A - minor documentation changes only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
VpcEndpointService
has the memberallowedPrincipals
which is of typeArnPrincipal[]
. However, if you use the AWS console, allowlisting a service principal is supported as well. Users are not able to use the typeServicePrincipal
inallowedPrincipals
in CDK. This is a feature gap.packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts
Expected Behavior
VpcEndpointService
allowedPrincipals
should supportArnPrincipal
as well asServicePrincipal
.Current Behavior
VpcEndpointService
allowedPrincipals
only supportsArnPrincipal
.Reproduction Steps
Possible Solution
Modify the
VpcEndpointService
construct to supportServicePrincipal
as well asArnPrincipal
for the memberallowedPrincipals
Additional Information/Context
For context, this is an AWS internal service which is onboarding to privatelink, and only wants to allowlist specific service principals. This is possible in the console, but not in CDK.
There is a workaround I've been using, but it's a little janky. It's possible to pass in a service principal to the
allowedPrincipals
by wrapping it in theArnPrincipal
type. For example:new ArnPrincipal('someservice.aws.internal');
You could also use L1 constructs, but that gets painful if you're using
VpcEndpointServiceDomainName
, because there is no corresponding L1 construct and it's nontrivial.CDK CLI Version
2.130.0 (build bd6e5ee)
Framework Version
2.130.0
Node.js Version
v16.7.0
OS
macOS Ventura 13.6.4
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: