|
| 1 | +# Troubleshoot AWS CDK deployments<a name="deploy-troubleshoot"></a> |
| 2 | + |
| 3 | +Troubleshoot common issues when deploying AWS Cloud Development Kit \(AWS CDK\) applications\. |
| 4 | + |
| 5 | +## Incorrect service principals are being created at deployment<a name="deploy-troubleshoot-sp"></a> |
| 6 | + |
| 7 | +When deploying CDK applications that contain AWS Identity and Access Management \(IAM\) roles with service principals, you find that incorrect domains for the service principals are being created\. |
| 8 | + |
| 9 | +The following is a basic example of creating an IAM role that can be assumed by Amazon CloudWatch Logs using its service principal: |
| 10 | + |
| 11 | +``` |
| 12 | +import * as cdk from 'aws-cdk-lib'; |
| 13 | +import * as iam from 'aws-cdk-lib/aws-iam'; |
| 14 | +import { Construct } from 'constructs'; |
| 15 | +
|
| 16 | +export class MyCdkProjectStack extends cdk.Stack { |
| 17 | + constructor(scope: Construct, id: string, props?: cdk.StackProps) { |
| 18 | + super(scope, id, props); |
| 19 | +
|
| 20 | + // Create an IAM role for CloudWatch Logs to assume |
| 21 | + const cloudWatchLogsRole = new iam.Role(this, 'CloudWatchLogsRole', { |
| 22 | + assumedBy: new iam.ServicePrincipal('logs.amazonaws.com'), // This is for CloudWatch Logs |
| 23 | + managedPolicies: [ |
| 24 | + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCloudWatchLogsFullAccess') |
| 25 | + ] |
| 26 | + }); |
| 27 | +
|
| 28 | + // You can then use this role in other constructs or configurations where CloudWatch Logs needs to assume a role |
| 29 | + } |
| 30 | +} |
| 31 | +``` |
| 32 | + |
| 33 | +When you deploy this stack, a service principal named `logs.amazonaws.com` should be created\. In most cases, AWS services use the following naming for service principals: `service.amazonaws.com`\. |
| 34 | + |
| 35 | +### Common causes<a name="deploy-troubleshoot-sp-causes"></a> |
| 36 | + |
| 37 | +If you are using a version of the AWS CDK older than v2\.150\.0, you may encounter this bug\. In older AWS CDK versions, the naming of service principals were not standardized, which could lead to the creation of service principals with incorrect domains\. |
| 38 | + |
| 39 | +In AWS CDK v2\.51\.0, a fix was implemented by standardizing all automatically created service principals to use `service.amazonaws.com` when possible\. This fix was available by allowing the `@aws-cdk/aws-iam:standardizedServicePrincipals` feature flag\. |
| 40 | + |
| 41 | +Starting in AWS CDK v2\.150\.0, this became default behavior\. |
| 42 | + |
| 43 | +### Resolution<a name="deploy-troubleshoot-sp-resolution"></a> |
| 44 | + |
| 45 | +Upgrade to AWS CDK v2\.150\.0 or newer\. |
| 46 | + |
| 47 | +If you are unable to upgrade to AWS CDK v2\.150\.0 or newer, you must upgrade to at least v2\.51\.0 or newer\. Then, allow the following feature flag in your `cdk.json` file: `@aws-cdk/aws-iam:standardizedServicePrincipals`\. |
0 commit comments