Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(ec2): update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals #29512

Merged
merged 3 commits into from
Mar 21, 2024
Merged

docs(ec2): update aws-ec2 README to include workaround for using a service principal in VPCEService allowedPrincipals #29512

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e477547
Update `aws-ec2` README to include workaround for using a service pri…
7e11 Mar 15, 2024
8fbba71
Adding unit + integ tests for VPCE allowlisting service principal wor…
7e11 Mar 19, 2024
2079b16
Merge branch 'main' into patch-1
paulhcsun Mar 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions packages/aws-cdk-lib/aws-ec2/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1052,6 +1052,16 @@ new ec2.VpcEndpointService(this, 'EndpointService', {
});
```

To include a service principal in the `allowedPrincipals`, there is a workaround where you can use a service principal string as input to the `ArnPrincipal` type. The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
```ts
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To include a service principal in the `allowedPrincipals`, there is a workaround where you can use a service principal string as input to the `ArnPrincipal` type. The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
```ts
You can also include a service principal in the `allowedPrincipals` property by specifying it as a parameter to the `ArnPrincipal` constructor.
The resulting VPC endpoint will have an allowlisted principal of type `Service`, instead of `Arn` for that item in the list.
```ts

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll make this change in the revision that includes the tests.

declare const networkLoadBalancer: elbv2.NetworkLoadBalancer;

new ec2.VpcEndpointService(this, 'EndpointService', {
vpcEndpointServiceLoadBalancers: [networkLoadBalancer],
allowedPrincipals: [new iam.ArnPrincipal('someservice.amazonaws.com')],
});
```

Endpoint services support private DNS, which makes it easier for clients to connect to your service by automatically setting up DNS in their VPC.
You can enable private DNS on an endpoint service like so:

Expand Down
Loading