Use mapping to conditionally select services for iam:PassRole

aws · Aug 30, 2024 · 441e058 · 441e058
1 parent 910a4a4
commit 441e058
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/...ite/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
@@ -4,6 +4,12 @@ Parameters:
   ClusterName:
     Type: String
     Description: "EKS cluster name"
+Mappings:
+  Partition:
+    aws:
+      PassRoleToServices: ["ec2.amazonaws.com"]
+    aws-cn:
+      PassRoleToServices: ["ec2.amazonaws.com", "ec2.amazonaws.com.cn"]
 Resources:
   KarpenterNodeRole:
     Type: "AWS::IAM::Role"
@@ -212,7 +218,15 @@ Resources:
               "Action": "iam:PassRole",
               "Condition": {
                 "StringEquals": {
-                  "iam:PassedToService": "ec2.${AWS::URLSuffix}"
+                  "iam:PassedToService": {
+                    "Fn::FindInMap": [
+                      "Partition",
+                      {
+                        "Ref": "AWS::Partition"
+                      },
+                      "PassRoleToServices"
+                    ]
+                  }
                 }
               }
             },

diff --git a/website/content/en/preview/reference/cloudformation.md b/website/content/en/preview/reference/cloudformation.md
@@ -375,7 +375,15 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl
   "Action": "iam:PassRole",
   "Condition": {
     "StringEquals": {
-      "iam:PassedToService": "ec2.${AWS::URLSuffix}"
+      "iam:PassedToService": {
+        "Fn::FindInMap": [
+          "Partition",
+          {
+            "Ref": "AWS::Partition"
+          },
+          "PassRoleToServices"
+        ]
+      }
     }
   }
 }