AWS::IAM::Role is not yet supported via Cloud Control API

[shubhambirvatkar700]

          i'm getting similar issue to import existing iam role into pulumi

command used --> pulumi import aws-native:iam:Role lambda-role --yes Error --->

aws-native:iam:Role (lambda-role): error: Preview failed: operation error CloudControl: GetResource, https response error StatusCode: 400, RequestID: 4a926ad4-d361-48ae-9804-473b2df50879, UnsupportedActionException: The resource AWS::IAM::Role is not yet supported via Cloud Control API

Dependency --> aws-native-0.61.0 aws-5.42.0 pulumi (3.66.0 )

Please note --> It was working couple of days back and now its failing

Originally posted by @shubhambirvatkar700 in https://github.com/pulumi/pulumi-aws-native/issues/844#issuecomment-1689298220

[shubhambirvatkar700]

Note --> This is specific to only eu-central-1 region. i'm able to import it in another region.

[danielrbradley]

Hi @shubhambirvatkar700 this is almost certainly an issue with AWS (given that was the resolution in the referenced issue). I'd suggest contacting AWS for support unless there's something specific you think we can improve in the provider to help.

[matwerber1]

Hi,

I encountered this error with the latest AWS SDK v3 in NodeJS and was able to resolve it by setting the SDK client's region to us-east-1 instead of my default us-west-2.

I happened to find this thread while searching for an answer and was at first confused given that Cloud Control docs list IAM CRUD operations as fully supported for IAM roles. Then I remembered...

Yes, IAM resources are "global", but the IAM control plane is actually entirely within us-east-1. When you create an IAM resource like a role, that process takes place in us-east-1. The us-east-1 region is the source of truth, and the role info is subsequently propogated to the other AWS regions around the globe so that region-specific services don't have to send requests all the way back to us-east-1 (the replication helps with high availability, as well). See docs.

At least in NodeJS, this seems isolated to the Cloud Control library, as the regular IAM library doesn't complain when I use a region other than us-east-1.

import { fromSSO } from "@aws-sdk/credential-provider-sso"; // for profiles using AWS SSO
import CC from "@aws-sdk/client-cloudcontrol";
import IAM from "@aws-sdk/client-iam";

const awsProfile = process.env.AWS_DEFAULT_PROFILE;

// Cloud Control
const ccClient = new CC.CloudControlClient({
  credentials: fromSSO({
    profile: awsProfile,
  }),
  region: "us-west-2",    // us-west-2 = FAIL, us-east-1 = SUCCEED
});

// IAM-specific library
const iamClient = new IAM.IAMClient({
  credentials: fromSSO({
    profile: awsProfile,
  }),
  region: "us-west-2",  // us-west-2 = SUCCEED, us-east-1 = SUCCEED
});

Similar results with the AWS CLI:

# FAIL
aws cloudcontrol list-resources --type-name "AWS::IAM::Role" --region us-west-2 

# SUCCEED
aws cloudcontrol list-resources --type-name "AWS::IAM::Role" --region us-east-1
aws iam list-roles --region us-east-1
aws iam list-roles --region us-west-2

I haven't verified, but my guess is that the AWS CLI and native IAM client libraries have code somewhere that overrides whatever region you've configured and forces us-east-1 before making IAM-related API calls, and that the Cloud Control implementation has not put this logic in place.

[mikhailshilkov]

@shubhambirvatkar700 @matwerber1 We checked in with folks from AWS and they let us know that this was a problem on the Cloud Control API side but it's been fixed since. Are you still experiencing this issue, or can we close it out?

[mikhailshilkov]

Since we haven't seen this in a while, I'll close the issue as fixed on the AWS side