Missing amazonaws.com.cn condition in PassRole as required for AWS CN

[ctav4]

Description

Our Karpenter instance runs on EKS in cn-northwest-1 (China). The logs indicate the following error: no identity-based policy allows the iam:PassRole action. I believe this issue was addressed in PR 3422. However, I noticed that the latest PR 3539 appears to have reverted the fix. @bryantbiggs @antonbabenko, could you please review this?

Versions

• Module version:
  v21.15.1

• Terraform version:
  v1.13.5

Reproduction Code

Code:

module "karpenter" {
  source = "terraform-aws-modules/eks/aws//modules/karpenter"

  iam_role_name      = "karpenter-controller-pod-identity"
  iam_policy_name    = "karpenter-controller-pod-identity-custom"
  node_iam_role_name = "karpenter-node-iam-role"

  iam_role_use_name_prefix      = false
  node_iam_role_use_name_prefix = false
  iam_policy_use_name_prefix    = false

  cluster_name = var.cluster_name

  node_iam_role_additional_policies = {
    AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
  }

  enable_spot_termination = false
}

Then login to China cn-northwest-1.

terraform init
terraform apply

With this config I see this output on terraform state file for data.aws_service_principal.ec2:

terraform state show 'module.example.module.karpenter.module.karpenter.data.aws_service_principal.ec2[0]'
# module.example.module.karpenter.module.karpenter.data.aws_service_principal.ec2[0]:
data "aws_service_principal" "ec2" {
    id           = "ec2.cn-northwest-1.amazonaws.com"
    name         = "ec2.amazonaws.com"
    region       = "cn-northwest-1"
    service_name = "ec2"
    suffix       = "amazonaws.com"
}

On AWS Console I see this:

Finally, the Karpenter logs shows this error:

karpenter-5fb47b9fc6-9zwxb controller {"level":"ERROR","time":"2026-01-28T17:11:36.570Z","logger":"controller","message":"unauthorized to call ec2:RunInstances","commit":"f29079c","controller":"nodeclass","controllerGroup":"karpenter.k8s.aws","controllerKind":"EC2NodeClass","EC2NodeClass":{"name":"default"},"namespace":"","name":"default","reconcileID":"8dd0479a-0776-4bb9-b09e-0684df6fd449","aws-error-code":"UnauthorizedOperation","aws-operation-name":"RunInstances","aws-request-id":"4a96ba94-118d-4988-a34c-8b8e0992a811","aws-service-name":"EC2","aws-status-code":403,"error":"operation error EC2: RunInstances, https response error StatusCode: 403, RequestID: 4a96ba94-118d-4988-a34c-8b8e0992a811, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws-cn:sts::123456123456:assumed-role/karpenter-controller-pod-identity/eks-example-karpenter--86b1bb05-916c-4bd3-bfb0-0e7dff5cc38a is not authorized to perform: iam:PassRole on resource: arn:aws-cn:iam::123456123456:role/karpenter-node-iam-role because no identity-based policy allows the iam:PassRole action. Encoded authorization failure message: ... (aws-error-code=UnauthorizedOperation, aws-operation-name=RunInstances, aws-request-id=4a96ba94-118d-4988-a34c-8b8e0992a811, aws-service-name=EC2, aws-status-code=403)"}

Expected behavior

I was expecting to see name = "ec2.amazonaws.com.cn" on terraform state file after the terraform apply:

data "aws_service_principal" "ec2" {
    id           = "ec2.cn-northwest-1.amazonaws.com"
    name         = "ec2.amazonaws.com.cn"
    region       = "cn-northwest-1"
    service_name = "ec2"
    suffix       = "amazonaws.com"
}

Actual behavior

Currently I see this output on terraform state file:

data "aws_service_principal" "ec2" {
    id           = "ec2.cn-northwest-1.amazonaws.com"
    name         = "ec2.amazonaws.com"
    region       = "cn-northwest-1"
    service_name = "ec2"
    suffix       = "amazonaws.com"
}

[bryantbiggs]

you're describing an xy-problem - lets start with a reproduction and any error logs/messages

[ctav4]

Additional information was added to the issue

[bryantbiggs]

if there is an issue with the aws_service_principal data source, you will need to report that upstream at the AWS provider

[mazay]

it's actually hardcoded here - https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/modules/eks-managed-node-group/main.tf#L590

and in a few other places - https://github.com/search?q=repo%3Aterraform-aws-modules%2Fterraform-aws-eks%20ec2.amazonaws.com&type=code

It used to be like that and worked fine - https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v18.30.3/modules/eks-managed-node-group/main.tf#L426

[bryantbiggs]

Karpenter is the only instance I know where it requires both for CN regions - the rest, I have no clue because its not clear from AWS what is required. if you can find that in the docs, we can note and update. but I believe I asked this before and the answer was "no - it should all be ec2.amazonaws.com except for Karpenter"

[mazay]

According to the docs:

the service principal name can include the following formats, with "service" replaced by the name of the service:

service.amazonaws.com

service.amazonaws.com.cn 

I can't vouch for it, but I'm pretty sure we had issues with non-CN principals in CN regions before.

We have only one prod cluster in CN, so testing is not an option right now.

[bryantbiggs]

that doesn't help - we need clear guidance not just "it could be this or that"

[mazay]

Can you at least make it configurable then? I can't give you a better source than the official doc that is vague

[mazay]

AWS console generates the following trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com.cn"
                ]
            }
        }
    ]
}

So, I'm sure the correct principal is ec2.amazonaws.com.cn.

[lukasz-mitka]

Here's the commit that changed it
57378ee