Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cannot Specify Custom Policy for AWS AppStream Streaming VPC Endpoint

0

I am trying to create a VPC Interface Endpoint for com.amazonaws.us-east-1.appstream.streaming using Terraform. When I specify a policy (even full access), I receive the error: Service com.amazonaws.us-east-1.appstream.streaming only supports the full-access endpoint policy.

However, the AWS documentation does not clearly state that custom policies are not supported for this endpoint. Can you clarify this behavior and update the documentation to make this restriction explicit?

Terraform Code Snippet

resource "aws_vpc_endpoint" "appstream_streaming" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.us-east-1.appstream.streaming"
  vpc_endpoint_type = "Interface"
  subnet_ids        = [aws_subnet.main.id]
  security_group_ids = [aws_security_group.endpoint.id]
  policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action    = "*"
          Effect    = "Allow"
          Principal = "*"
          Resource  = "*"
        }
      ]
    })
}

resource "aws_vpc_endpoint" "appstream_api" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.us-east-1.appstream.api"
  vpc_endpoint_type = "Interface"
  subnet_ids        = [aws_subnet.main.id]
  security_group_ids = [aws_security_group.endpoint.id]
  policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action    = ["appstream:*"]
          Effect    = "Allow"
          Principal = "*"
          Resource  = "*"
        }
      ]
    })
}

Error:

aws_vpc_endpoint.appstream_streaming: Creating...
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.us-east-1.appstream.streaming): operation error EC2: CreateVpcEndpoint, https response error StatusCode: 400, RequestID: 4462a416-5838-4829-a913-c8e1dcfe4c5e, api error InvalidParameter: Service com.amazonaws.us-east-1.appstream.streaming only supports the full-access endpoint policy.
│ 
│   with aws_vpc_endpoint.appstream_streaming,
│   on vpce.tf line 35, in resource "aws_vpc_endpoint" "appstream_streaming":
│   35: resource "aws_vpc_endpoint" "appstream_streaming" {
│

It would be great if AWS PrivateLink docs can be updated with table which clearly defines what service supports endpoint policy and what does not. I have referred below pages but none of them states these facts clearly. https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policy-considerations https://docs.aws.amazon.com/appstream2/latest/developerguide/interface-vpc-endpoints.html https://docs.aws.amazon.com/appstream2/latest/developerguide/creating-streaming-from-interface-vpc-endpoints.html https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html

Topics
End User ComputingNetworking & Content Delivery
Tags
Amazon WorkSpaces ApplicationsAWS PrivateLink
Language
English
asked 4 months ago36 views
1 Answer
1

Thank you for bringing this to our attention. You are correct that the behavior you're experiencing is due to a service-specific restriction on the AppStream streaming endpoint.

Not all AWS services support custom endpoint policies. When an AWS service doesn't support endpoint policies, full access to the endpoint is allowed by default. In your case, the com.amazonaws.us-east-1.appstream.streaming service specifically requires the full-access endpoint policy and does not support custom policies, even if you're attempting to grant full access with a custom policy document.

To resolve your Terraform error, you should remove the policy parameter from your aws_vpc_endpoint.appstream_streaming resource. When you don't attach an endpoint policy, the default endpoint policy (which provides full access) will be automatically applied. This is the expected configuration for services that don't support custom endpoint policies.

Your aws_vpc_endpoint.appstream_api resource may support custom policies depending on the service's capabilities, but the streaming endpoint specifically does not.

I appreciate your feedback about the documentation. You're right that it would be helpful to have a clear table or reference that explicitly lists which AWS services support custom endpoint policies and which require the default full-access policy. The general guidance states that not all AWS services support endpoint policies, but service-specific restrictions like the one you encountered with AppStream streaming should be more clearly documented in the service-specific pages.

For your immediate needs, simply omit the policy parameter for the AppStream streaming endpoint, and it will work with the default full-access policy that the service requires.
Sources
Control access to VPC endpoints using endpoint policies - Amazon Virtual Private Cloud

answered 4 months ago
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content