-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iam.ServicePrincipal injects region into Principal string #2622
Comments
What region or what workflow is this breaking for you? |
This was breaking setting up codedeploy in the console - i couldn't set the role created in CDK as the instance profile role in the console since it didn't expect it to be regionalized |
But are you able to use the role properly, say when you're deploying everything via CloudFormation? I'm wondering if this is a console issue instead of a CDK issue :) |
Yeah but not having the flexibility to determine if the region gets
injected is at minimum a gap in features
…On Thu, Jun 20, 2019, 8:18 AM Romain Marcadier-Muller < ***@***.***> wrote:
But are you able to use the role properly, say when you're deploying
everything via CloudFormation?
I'm wondering if this is a console issue instead of a CDK issue :)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2622>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABMOQZB2WNH3534AZJNHZ4LP3ONURANCNFSM4HPIRGVA>
.
|
@KingOfPoptart - I'm not sure I agree here. One of our tenets is to issue least-privilege permissions only, and tightening the role down to the region where it's supposed to operate seems to be the right thing to do here. If you have a concrete use-case where you need to grant the "region-global" principal permissions here... Then that'd be a feature request, not a bug. |
Sure - I'm happy to switch this to a feature request instead. By default, I agree, it should be locked down. But having the option to open it up is also valid. |
Opened #2999 Going to close this issue. |
Describe the bug
When using
new iam.ServicePrincipal()
- the CloudFormation that is output injects the region into the Principal and there doesn't seem to be an option to disable this behavior.To Reproduce
Expected behavior
The default should be to not inject the region into the principal in the properties passed into
new iam.ServicePrincipal()
. An option to add that in might be useful for some cases, but I don't think it should be the default.Version:
The text was updated successfully, but these errors were encountered: