Specific addServicePrincipal methods for services

[akefirad]

Is there any plan to support this? For example:

const policy = new statement.Sns()
            .allow()
            .toPublish()
            .onTopic(myTopic);

// policy.addServicePrincipal('ses.amazonaws.com');
policy.addSesServicePrincipal();

Any help you need with this?
BTW: what's the reason addServicePrincipal returns void and not this?

[udondan]

Hi @akefirad,

the method addServicePrincipal is actually not part of the Floyd package. All the IAM statement classes in the Floyd package extend iam.PolicyStatement from the CDK itself. That's where this method comes from. Nothing wrong with directly using it, but yeah, it returns void.

Floyd though provides other methods for adding principals. For a service principal there is .forService('...'):

const policy = new statement.Sns()
  .allow()
  .toPublish()
  .onTopic(myTopic)
  .forService('ses.amazonaws.com')

Alternatively you can also directly use CDK principals:

const policy = new statement.Sns()
  .allow()
  .toPublish()
  .onTopic(myTopic)
  .forCdkPrincipal(
    new iam.ServicePrincipal('ses.amazonaws.com')
  )

Implementing something like you envision (e.g. .forServiceSes()) would be possible, but I would like to not get into the business of manually managing services valid for referencing as a principal. So this would probably involve scraping this document. But how to get from the table content to the actual service names... that seems to be the tricky part. Also, there seems to be no indicator in the IAM service description itself if a service can be used in a service role, e.g. SES. Neither the domain (ses.amazonaws.com) is listed there... I'm not 100% sure it always is the service prefix (ses) with an appended .amazonaws.com.

But yeah, I agree, it would be cool to have this functionality. In fact, looking up the service domains for principals is one of the rare cases where I still have to go to the AWS IAM docs.

Cheers,
Daniel

[akefirad]

Good point. Thanks for the code snippet.

[udondan]

Interesting related links

• https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
• https://github.com/kevinslin/cdk-constants/blob/master/lib/principals.ts

[udondan]

Reading through that first link... things seem quite complicated. Some service principals vary based on region and partition while most are not... Examples:

• ec2.amazonaws.com.cn - Different TLD in china
• kinesis.us-gov-east-1.amazonaws.com - Region based in us-gov, injecting a 2nd level in the middle
• cognito-identity-us-gov.amazonaws.com - Partition based, completely changing the 2nd level

This all seesm to be very random.

If we would ignore all the variations... we might be able to generate a list that covers most principals. We already have all AWS managed polciies in our codebase and can generate a list 203 domains that look like they can be used as principals:

$ grep -rhoE '[^[:space:],;"'\''/*]+\.amazonaws\.com' docs/source/_static/managed-policies/ | sort | uniq -c | sort -nr
  58 ec2.amazonaws.com
  23 cloudformation.amazonaws.com
  21 autoscaling.amazonaws.com
  20 ssm.amazonaws.com
  20 securitylake.amazonaws.com
  16 launchwizard.amazonaws.com
  16 events.amazonaws.com
  15 lambda.amazonaws.com
  15 elasticloadbalancing.amazonaws.com
  15 backup.amazonaws.com
  14 sagemaker.amazonaws.com
  13 glue.amazonaws.com
  12 spot.amazonaws.com
  12 rds.amazonaws.com
  11 ecs.amazonaws.com
  11 drs.amazonaws.com
  11 codeguru-reviewer.amazonaws.com
  11 cleanrooms.amazonaws.com
  10 elasticbeanstalk.amazonaws.com
   9 sso.amazonaws.com
   9 lexv2.amazonaws.com
   9 devops-guru.amazonaws.com
   9 application-autoscaling.amazonaws.com
   8 robomaker.amazonaws.com
   8 mgn.amazonaws.com
   8 elasticmapreduce.amazonaws.com
   8 application-insights.amazonaws.com
   7 spotfleet.amazonaws.com
   7 lex.amazonaws.com
   7 lakeformation.amazonaws.com
   7 dataexchange.amazonaws.com
   6 servicecatalog-appregistry.amazonaws.com
   6 imagebuilder.amazonaws.com
   6 ecs-tasks.amazonaws.com
   6 docdb-elastic.amazonaws.com
   6 continuousexport.discovery.amazonaws.com
   6 config-conforms.amazonaws.com
   6 cloud9.amazonaws.com
   6 channels.lexv2.amazonaws.com
   5 servicequotas.amazonaws.com
   5 securityhub.amazonaws.com
   5 schemas.amazonaws.com
   5 reporting.trustedadvisor.amazonaws.com
   5 ram.amazonaws.com
   5 iot.amazonaws.com
   5 fsx.amazonaws.com
   5 fms.amazonaws.com
   5 codepipeline.amazonaws.com
   4 vpc-lattice.amazonaws.com
   4 sqlworkbench.amazonaws.com
   4 sagemaker.application-autoscaling.amazonaws.com
   4 resource-explorer-2.amazonaws.com
   4 replication.lexv2.amazonaws.com
   4 macie.amazonaws.com
   4 iotsitewise.amazonaws.com
   4 dynamodb.application-autoscaling.amazonaws.com
   4 delivery.logs.amazonaws.com
   4 cloudtrail.amazonaws.com
   4 channels.lex.amazonaws.com
   4 cassandra.application-autoscaling.amazonaws.com
   4 braket.amazonaws.com
   4 auditmanager.amazonaws.com
   4 appflow.amazonaws.com
   4 apidestinations.events.amazonaws.com
   3 scraper.aps.amazonaws.com
   3 scheduler.amazonaws.com
   3 s3.data-source.lustre.fsx.amazonaws.com
   3 remediation.config.amazonaws.com
   3 redshift.amazonaws.com
   3 proton.amazonaws.com
   3 profile.amazonaws.com
   3 pipes.amazonaws.com
   3 nimble.amazonaws.com
   3 neptune-graph.amazonaws.com
   3 kafka.amazonaws.com
   3 inspector.amazonaws.com
   3 greengrass.amazonaws.com
   3 events.workmail.amazonaws.com
   3 detective.amazonaws.com
   3 databrew.amazonaws.com
   3 cost-optimization-hub.bcm.amazonaws.com
   3 connect.amazonaws.com
   3 cognito-identity.amazonaws.com
   3 appsync.amazonaws.com
   3 apprunner.amazonaws.com
   3 acm.amazonaws.com
   2 wafv2.amazonaws.com
   2 transitgateway.amazonaws.com
   2 transfer.amazonaws.com
   2 sync.proton.amazonaws.com
   2 ssm-sap.amazonaws.com
   2 smsintegration.migrationhub.amazonaws.com
   2 s3.amazonaws.com
   2 restore-testing.backup.amazonaws.com
   2 replication.cassandra.amazonaws.com
   2 refactor-spaces.amazonaws.com
   2 redshift-data.amazonaws.com
   2 qldb.amazonaws.com
   2 panorama.amazonaws.com
   2 osis.amazonaws.com
   2 orgsdatasync.servicecatalog.amazonaws.com
   2 organizations.amazonaws.com
   2 omics.amazonaws.com
   2 mq.amazonaws.com
   2 migrationhub.amazonaws.com
   2 migrationhub-strategy.amazonaws.com
   2 migrationhub-orchestrator.amazonaws.com
   2 memorydb.amazonaws.com
   2 managedupdates.elasticbeanstalk.amazonaws.com
   2 malware-protection.guardduty.amazonaws.com
   2 maintenance.elasticbeanstalk.amazonaws.com
   2 license-manager.member-account.amazonaws.com
   2 license-management.marketplace.amazonaws.com
   2 iotroborunner.amazonaws.com
   2 health.amazonaws.com
   2 guardduty.amazonaws.com
   2 globalaccelerator.amazonaws.com
   2 forecast.amazonaws.com
   2 firehose.amazonaws.com
   2 email.cognito-idp.amazonaws.com
   2 elasticache.amazonaws.com
   2 eks-connector.amazonaws.com
   2 ec2fleet.amazonaws.com
   2 ec2.application-autoscaling.amazonaws.com
   2 dmsintegration.migrationhub.amazonaws.com
   2 dax.amazonaws.com
   2 custom.rds.amazonaws.com
   2 custom.rds-preview.amazonaws.com
   2 controltower.amazonaws.com
   2 config-multiaccountsetup.amazonaws.com
   2 cognito-idp.amazonaws.com
   2 cognito-identity-us-gov.amazonaws.com
   2 codebuild.amazonaws.com
   2 codeartifact.amazonaws.com
   2 cleanrooms-ml.amazonaws.com
   2 chime.amazonaws.com
   2 bugbust.amazonaws.com
   2 bedrock.amazonaws.com
   2 assets.marketplace.amazonaws.com
   2 appstream.application-autoscaling.amazonaws.com
   2 appmesh.amazonaws.com
   2 application-signals.cloudwatch.amazonaws.com
   2 appfabric.amazonaws.com
   2 a4b.amazonaws.com
   1 vmie.amazonaws.com
   1 synthetics.amazonaws.com
   1 support.amazonaws.com
   1 states.amazonaws.com
   1 sms.amazonaws.com
   1 shield.amazonaws.com
   1 servicecatalog.amazonaws.com
   1 sagemaker-geospatial.amazonaws.com
   1 rum.amazonaws.com
   1 resource-groups.amazonaws.com
   1 replication.ecr.amazonaws.com
   1 replication.dynamodb.amazonaws.com
   1 rds.application-autoscaling.amazonaws.com
   1 personalize.amazonaws.com
   1 permission.iq.amazonaws.com
   1 partnercentral-account-management.amazonaws.com
   1 opsworks.amazonaws.com
   1 networkmanager.amazonaws.com
   1 network-firewall.amazonaws.com
   1 monitron.amazonaws.com
   1 medical-imaging.amazonaws.com
   1 mediaconvert.amazonaws.com
   1 lookoutmetrics.amazonaws.com
   1 lookoutequipment.amazonaws.com
   1 lightsail.amazonaws.com
   1 kinesisreplication.dynamodb.amazonaws.com
   1 kendra.amazonaws.com
   1 inspector2.amazonaws.com
   1 healthlake.amazonaws.com
   1 grafana.amazonaws.com
   1 frauddetector.amazonaws.com
   1 fis.amazonaws.com
   1 events.managedservices.amazonaws.com
   1 event-processor.health.amazonaws.com
   1 entityresolution.amazonaws.com
   1 elastictranscoder.amazonaws.com
   1 elasticfilesystem.amazonaws.com
   1 eks.amazonaws.com
   1 ecs.application-autoscaling.amazonaws.com
   1 ec2scheduled.amazonaws.com
   1 ec2fastlaunch.amazonaws.com
   1 ds.amazonaws.com
   1 datazonecontrol.amazonaws.com
   1 datazone.amazonaws.com
   1 datasync.amazonaws.com
   1 credentials.iot.amazonaws.com
   1 contributorinsights.dynamodb.amazonaws.com
   1 contract.iq.amazonaws.com
   1 config.amazonaws.com
   1 codeguru-security.amazonaws.com
   1 codeguru-profiler.amazonaws.com
   1 codecatalyst.amazonaws.com
   1 codecatalyst-runner.amazonaws.com
   1 budgets.amazonaws.com
   1 batch.amazonaws.com
   1 athena.amazonaws.com
   1 aps.amazonaws.com
   1 apigateway.amazonaws.com
   1 access-analyzer.amazonaws.com

I am not too deep into that principal businiess, so I don't know if it makes sense for these to be available as service principals.

Unfortunaeltey... the Service you seem to care about (SES) is not covered in any AWS managed policy, so it's not in that list... ;)

[akefirad]

Hm, Thanks. Missing a few cases should be fine. As long as we have a consistent way of regenerating the list. Not sure how this piece is being generated, just wanted to make sure it’s not gonna break between releases. I kinda like this feature, but it can also wait. We can come back later when there’s a better solution. Up to you 🙂
Cheers,

[udondan]

The list comes from greping through the body of all AWS managed policies. I have a GitHub workflow that fetches all managed policies from the IAM service every night.

As AWS managed policies are updated almost daily, there's a chance the known principals might disappear, especially those which are only found once across all policies.

We could set this up to only add new and never remove from our cached list. But then we might collect a number of typos over time. 🤔

We can also use the gist as a(n additional) source. The gist has now been periodically updated for years and appears to be a well known resource. But I really cannot judge the quality. It's community driven and as there's no way for the maintainer to verify the suggestions from the comments... it just feels not right to generate code from random user comments.

I would really like this feature too, but there seems to be just no good way to do it, since AWS fails to document this properly and it's all just guesswork.

But yeah, we're not yet GA, so it's still room for experiments. 😅

[akefirad]

Makes sense. Feel free to close this or put it on hold. Thanks.