Skip to content

Match IAM service linked role naming with AWS #12387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 13, 2025
Merged

Match IAM service linked role naming with AWS #12387

merged 4 commits into from
Mar 13, 2025

Conversation

dfangl
Copy link
Member

@dfangl dfangl commented Mar 13, 2025
edited
Loading

Motivation

Currently, our service linked roles will be named r-<short-id>.
This does not match the AWS naming, as it is usually named AWSServiceRoleFor<service>.

Also, the service linked roles will not have proper policies attached, rendering them unusable with IAM enforcement.

This PR will increase parity by defining both predefined names for service linked roles (for services LS supports), and a heuristic to get the name for those services which do not.

Also, we will properly reject requests for service linked roles with a suffix for services which do not support it, and attach the correct policies to the service linked roles.

This supersedes #11731

Changes

  • Service linked roles are now named correctly, and have the correct policies attached
  • Creating service linked roles with a suffix for services not supporting it will fail with the right error message

@dfangl dfangl requested a review from pinzon as a code owner March 13, 2025 15:10
@dfangl dfangl added the semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases label Mar 13, 2025
@dfangl dfangl self-assigned this Mar 13, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 13, 2025
edited
Loading

LocalStack Community integration with Pro

  2 files  ±    0    2 suites  ±0   30s ⏱️ - 1h 50m 48s
192 tests  - 3 952  188 ✅  - 3 636  4 💤  - 316  0 ❌ ±0 
194 runs   - 3 952  188 ✅  - 3 636  6 💤  - 316  0 ❌ ±0 

Results for commit a6bae2b. ± Comparison against base commit e8907e5.

This pull request removes 4096 and adds 144 tests. Note that renamed tests count towards both. 
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_already_exists
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_deletion
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[accountdiscovery.ssm.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[acm.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[appmesh.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[autoscaling-plans.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[autoscaling.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[backup.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[batch.amazonaws.com]
tests.aws.services.iam.test_iam.TestIAMServiceRoles ‑ test_service_role_lifecycle[cassandra.application-autoscaling.amazonaws.com]
…

♻️ This comment has been updated with latest results.

pinzon
pinzon approved these changes Mar 13, 2025
View reviewed changes
Copy link
Member

@pinzon pinzon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. More Parity!! 🥳

@dfangl dfangl merged commit c3bf23a into master Mar 13, 2025
31 checks passed
@dfangl dfangl deleted the iam/service-linked-roles branch March 13, 2025 16:50
@nik-localstack nik-localstack mentioned this pull request Apr 16, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pinzon pinzon pinzon approved these changes

Assignees

@dfangl dfangl

Labels
semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dfangl @pinzon