-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2: Creating an InterfaceVpcEndpoint fails with VPC Endpoint Service in another account #28851
Comments
Turns out that CloudFormation performs VPC service name lookups using random role names, created and assigned during stack deployment. My Service was allowing only specific roles and users to access itself, and hiding from any other roles in the sub-account. I had to widen the pool of permitted principals in order for the construct to work for me. So in the main account, the principals I added to the service had to be constructed like so:
to allow all roles and users defined within that specific sub-account. So now I don't know whether the construct's behaviour is correct or not. From practical point of view I don't think that a service should have to broaden its permissions this much to become visible, but I don't see any way to provide a specific IAM role or user to the construct. Am I missing something here? |
Hi
How did you figure out that? Can you share more details? |
Hi, in all honesty I'm not 100% sure, because I didn't find any specific logs from CF regarding the roles. I do have IDs of some failing requests, but I don't know where to look them up for any additional info. If you could please tell me where I can find some traces, or logs, or whatever else to help debug this, then I'd be happy to look it up. My conclusion does, however, seem consistent with my findings in some other approaches I experimented with when trying to find my way around this issue. I don't remember which exactly yielded the randomized role name in the logs, but one of them did. I spent pretty much the whole day on this, so it's a bit of a haze... Things I tried:
All roles for all approaches were created automatically by CF during the deployment phase, so that pointed me to a role name issue. Once I determined it may have been the problem, I widened the permissions to allow all users and roles from the specific sub-account, and voila! It finally worked. Sorry if I'm rambling; as I said earlier, I tried so many random approaches that it's all a blur now... |
Describe the bug
I have the main account and a sub-account (organization).
In the main account I have:
In the sub-account, I have a network stack setting up a VPC. In the same stack, I'm trying to create an interface endpoint for the service exposed in the main account. My sub-account role is added to the service as allowed principal. I am able to create the endpoint both from the console, and from the CLI.
Expected Behavior
The deployment should not fail, instead it should create a new
VpcInterfaceEndpoint
pointing at the providedVpcInterfaceService
.Current Behavior
When trying to create the endpoint using CDK, the deployment fails with (real service name changed):
However this CLI command succeeds (service IDs changed):
Reproduction Steps
Failing CDK script:
However this CLI call succeeded (I changed the VPC ID and subnet IDs here for safety):
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.121.1
Framework Version
No response
Node.js Version
v20.9.0
OS
Linux Manjaro 6.1.69-1-MANJARO x86_64 GNU/Linux
Language
TypeScript
Language Version
TypeScript 5.3.3
Other information
No response
The text was updated successfully, but these errors were encountered: