FunctionBeat: incorrect IAM Service Principal for Lambda in AWS China regions

Elastic Stack Beats
1

Hello,

I have tested FunctionBeat in AWS China region with those errors:

2020-03-31T12:13:10.748+0800	INFO	[aws]	aws/op_cloudformation.go:97	Stack event received, ResourceType: AWS::IAM::Role, LogicalResourceId: fnbcloudwatchIAMRoleLambdaExecution, ResourceStatus: CREATE_IN_PROGRESS
2020-03-31T12:13:10.748+0800	INFO	[aws]	aws/op_cloudformation.go:97	Stack event received, ResourceType: AWS::Logs::LogGroup, LogicalResourceId: fnbcloudwatchLogGroup, ResourceStatus: CREATE_IN_PROGRESS
2020-03-31T12:13:10.748+0800	INFO	[aws]	aws/op_cloudformation.go:97	Stack event received, ResourceType: AWS::IAM::Role, LogicalResourceId: fnbcloudwatchIAMRoleLambdaExecution, ResourceStatus: CREATE_FAILED, ResourceStatusReason: Invalid principal in policy: "SERVICE":"lambda.amazonaws.com.cn" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 33c06f52-b16e-4a33-9b95-36ecb81361ab)
2020-03-31T12:13:10.748+0800	INFO	[aws]	aws/op_cloudformation.go:97	Stack event received, ResourceType: AWS::Logs::LogGroup, LogicalResourceId: fnbcloudwatchLogGroup, ResourceStatus: CREATE_IN_PROGRESS, ResourceStatusReason: Resource creation Initiated
2020-03-31T12:13:10.748+0800	INFO	[aws]	aws/op_cloudformation.go:97	Stack event received, ResourceType: AWS::Logs::LogGroup, LogicalResourceId: fnbcloudwatchLogGroup, ResourceStatus: CREATE_FAILED, ResourceStatusReason: Resource creation cancelled

And I also verified the exported cfn template and found the root cause: incorrect IAM service principal for lambda in AWS China regions.

According to the code from line 257 to 261
in https://github.com/elastic/beats/blob/master/x-pack/functionbeat/manager/aws/template_builder.go, it has used the cfn pre-defined parameter "AWS::URLSuffix", for AWS global regions: amazonaws.com, for AWS China regions: amazonaws.com.cn.

However, "lambda.amazonaws.com.cn" is not the correct IAM service principal for Lambda in AWS China regions but it is "lambda.amazonaws.com". And you can further refer to my latest validation in https://github.com/henrysher/aws-china-iam-service-principal-list.

Thanks!
Henry

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.