Fix service slug mismatches for awsservicemap v1.1.0#123
Merged
jbarciabf merged 3 commits intoApr 12, 2026
Conversation
awsservicemap v1.1.0 changed to a URL-based service identification format.
The secrets module was passing old-style slugs ("secretsmanager", "ssm") to
IsServiceInRegion, which never matched the new URL-derived slugs
("secrets-manager", "systems-manager"). This caused 0 tasks to be queued
and no secrets to be returned despite secrets existing in the account.
awsservicemap v1.1.0 switched to URL-based service slugs, breaking all commands that used the old identifiers. Affected slugs and their fixes: secretsmanager -> secrets-manager (resource-trusts, inventory) ssm -> systems-manager (inventory) elb -> elasticloadbalancing (endpoints, inventory, network-ports) es -> opensearch-service (endpoints, inventory, resource-trusts) mq -> amazon-mq (endpoints, inventory) stepfunctions -> step-functions (inventory) sagemaker -> sagemaker-ai (env-vars) clouddirectory -> directoryservice (directory-services) kinesis -> streams (inventory) lightsail -> amazonlightsail.com (endpoints, env-vars, network-ports) Each mismatch caused IsServiceInRegion to return false for all regions, silently skipping enumeration of that service entirely.
jbarciabf
previously approved these changes
Apr 12, 2026
Collaborator
jbarciabf
left a comment
jbarciabf
left a comment
There was a problem hiding this comment.
Code Review — Approved
Summary: Fixes 10 stale service slugs that broke IsServiceInRegion lookups after the awsservicemap v1.1.0 update moved to URL-based service identification. Without this fix, affected services (Secrets Manager, SSM, ELB, OpenSearch, MQ, Step Functions, SageMaker, Cloud Directory, Kinesis, Lightsail) silently returned zero results across all regions.
Review Checklist
- No AI attribution found
- Code correctness verified
- Security review passed
- Dependency vulnerability scan completed
- Production readiness verified
- Functional testing — all 10 slug corrections validated against live AWS service map data
- Unit tests pass (pre-existing resource-trusts panic unrelated to this PR)
- Code quality acceptable
Slug Verification
All 10 new slugs were validated against awsservicemap v1.1.0 (live download from AWS) using IsServiceInRegion in us-east-1:
| Old Slug | New Slug | Status |
|---|---|---|
| secretsmanager | secrets-manager | Verified |
| ssm | systems-manager | Verified |
| elb | elasticloadbalancing | Verified |
| es | opensearch-service | Verified |
| mq | amazon-mq | Verified |
| stepfunctions | step-functions | Verified |
| sagemaker | sagemaker-ai | Verified |
| clouddirectory | directoryservice | Verified |
| kinesis | streams | Verified |
| lightsail | amazonlightsail.com | Verified |
Auto-fixes Applied
- Updated
google.golang.org/grpcfrom v1.77.0 to v1.79.3 to fix GO-2026-4762 (authorization bypass via missing leading slash in :path header). Build and tests verified after update.
Notes
- 24 Go standard library vulnerabilities were found (crypto/tls, crypto/x509, net/url, etc.), all requiring a Go compiler upgrade from 1.24.2. These are pre-existing and not introduced by this PR.
- Pre-existing test panic in
resource-trusts(index out of range) exists on main as well — not related to this PR. - After merge, version should be bumped to 2.0.2 in
globals/utils.goand tagged for release.
Fixes authorization bypass via missing leading slash in :path header.
jbarciabf
force-pushed
the
fix/awsservicemap-v1.1.0-service-slugs
branch
from
5f79372 to
83f9af2
Compare
jbarciabf
reviewed
Apr 12, 2026
Collaborator
jbarciabf
left a comment
jbarciabf
left a comment
There was a problem hiding this comment.
Code Review — Approved
Summary: Fixes 10 stale service slugs that broke IsServiceInRegion lookups after the awsservicemap v1.1.0 update moved to URL-based service identification. Without this fix, affected services (Secrets Manager, SSM, ELB, OpenSearch, MQ, Step Functions, SageMaker, Cloud Directory, Kinesis, Lightsail) silently returned zero results across all regions.
Review Checklist
- Code correctness verified
- Security review passed
- Dependency vulnerability scan completed
- Production readiness verified
- Functional testing — all 10 slug corrections validated against live AWS service map data
- Unit tests pass (pre-existing resource-trusts panic unrelated to this PR)
- Code quality acceptable
Slug Verification
All 10 new slugs were validated against awsservicemap v1.1.0 (live download from AWS) using IsServiceInRegion in us-east-1:
| Old Slug | New Slug | Status |
|---|---|---|
| secretsmanager | secrets-manager | Verified |
| ssm | systems-manager | Verified |
| elb | elasticloadbalancing | Verified |
| es | opensearch-service | Verified |
| mq | amazon-mq | Verified |
| stepfunctions | step-functions | Verified |
| sagemaker | sagemaker-ai | Verified |
| clouddirectory | directoryservice | Verified |
| kinesis | streams | Verified |
| lightsail | amazonlightsail.com | Verified |
Dependency Fix Applied
- Updated
google.golang.org/grpcfrom v1.77.0 to v1.79.3 to fix GO-2026-4762 (authorization bypass via missing leading slash in :path header). Build and tests verified after update.
Notes
- 24 Go standard library vulnerabilities found (crypto/tls, crypto/x509, net/url, etc.), all requiring a Go compiler upgrade from 1.24.2. Pre-existing, not introduced by this PR.
- Pre-existing test panic in
resource-trusts(index out of range) exists on main — not related to this PR. - After merge, version should be bumped to 2.0.2 in
globals/utils.goand tagged for release.
jbarciabf
approved these changes
Apr 12, 2026
Collaborator
jbarciabf
left a comment
jbarciabf
left a comment
There was a problem hiding this comment.
Code Review — Approved
Summary: Fixes 10 stale service slugs that broke IsServiceInRegion lookups after the awsservicemap v1.1.0 update moved to URL-based service identification. Without this fix, affected services (Secrets Manager, SSM, ELB, OpenSearch, MQ, Step Functions, SageMaker, Cloud Directory, Kinesis, Lightsail) silently returned zero results across all regions.
Review Checklist
- Code correctness verified
- Security review passed
- Dependency vulnerability scan completed
- Production readiness verified
- Functional testing — all 10 slug corrections validated against live AWS service map data
- Unit tests pass (pre-existing resource-trusts panic unrelated to this PR)
- Code quality acceptable
Slug Verification
All 10 new slugs validated against awsservicemap v1.1.0 (live download from AWS) using IsServiceInRegion in us-east-1:
| Old Slug | New Slug | Status |
|---|---|---|
| secretsmanager | secrets-manager | Verified |
| ssm | systems-manager | Verified |
| elb | elasticloadbalancing | Verified |
| es | opensearch-service | Verified |
| mq | amazon-mq | Verified |
| stepfunctions | step-functions | Verified |
| sagemaker | sagemaker-ai | Verified |
| clouddirectory | directoryservice | Verified |
| kinesis | streams | Verified |
| lightsail | amazonlightsail.com | Verified |
Dependency Fix Applied
- Updated
google.golang.org/grpcfrom v1.77.0 to v1.79.3 to fix GO-2026-4762 (authorization bypass via missing leading slash in :path header). Build and tests verified after update.
Notes
- 24 Go standard library vulnerabilities found (crypto/tls, crypto/x509, net/url, etc.), all requiring a Go compiler upgrade from 1.24.2. Pre-existing, not introduced by this PR.
- Pre-existing test panic in
resource-trusts(index out of range) exists on main — not related to this PR. - After merge, version should be bumped to 2.0.2 in
globals/utils.goand tagged for release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
awsservicemap v1.1.0 changed from a hash-based service ID format to a
URL slug-based format. Several AWS commands were still using old-style
slugs that no longer match, causing IsServiceInRegion to silently return
false for every region — meaning those services were never enumerated at all.
For example, the
secretscommand returned zero results despite SecretsManager entries existing in the account, because "secretsmanager" no longer
matched (the correct slug is now "secrets-manager", derived from
https://aws.amazon.com/secrets-manager/).
Slug corrections applied across 7 files:
Note: cloud9 and datapipeline are absent from the AWS service map entirely
(both deprecated by AWS), so those returning false is correct behavior.