aws-source: fix kms-grant issue with service principal (#3831)

Fix for aws source errors seen in pod logs:
```
{"error":"arn: invalid prefix","input":"rds.amazonaws.com","level":"error","msg":"Error parsing principal ARN","scope":"944651592624.eu-west-2","severity":"error","time":"2026-02-09T15:09:42Z"}
{"error":"arn: invalid prefix","input":"ec2.eu-west-2.amazonaws.com","level":"error","msg":"Error parsing principal ARN","scope":"944651592624.eu-west-2","severity":"error","time":"2026-02-09T15:09:42Z"}
```

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: change is isolated to KMS grant link generation and a shared
partition-suffix helper, with added unit tests covering the new behavior
and no auth/data-path modifications.
>
> **Overview**
> Fixes `kms-grant` discovery failures caused by AWS service principals
(e.g. `rds.amazonaws.com`) being treated like ARNs.
>
> This introduces a shared `awsPartitionDNSSuffixes` map plus
`GetAllAWSPartitionDNSSuffixes()` to detect DNS-style service principals
across partitions, and updates `grantOutputMapper` to *silently skip*
those principals (and downgrade ARN-parse logs from error to warn) so
only linkable IAM/KMS items are emitted. Adds unit coverage for
service-principal detection and for ensuring service principals don’t
generate linked-item queries.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
14d07808f0a26a089203aee10f581104e2141ffb. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: bd8474862b2fb7344b2bc3a787c0c9fa693144a3

Author: carabasdaniel

aws-source/adapters/adapterhelpers_util.go

@@ -176,23 +176,43 @@ func ParseARN(arnString string) (*ARN, error) {
 	}, nil
 }
 
+// awsPartitionDNSSuffixes maps AWS partition names to their DNS suffixes.
+// This is the single source of truth for all AWS partition DNS suffixes.
+// See: https://docs.aws.amazon.com/general/latest/gr/rande.html
+var awsPartitionDNSSuffixes = map[string]string{
+	"aws":        "amazonaws.com",
+	"aws-us-gov": "amazonaws.com",
+	"aws-cn":     "amazonaws.com.cn",
+	"aws-iso":    "c2s.ic.gov",
+	"aws-iso-b":  "sc2s.sgov.gov",
+	"aws-eu":     "amazonaws.eu",
+}
+
 // GetPartitionDNSSuffix returns the DNS suffix for a given AWS partition.
 // This is used to construct service URLs that work across all AWS partitions.
 func GetPartitionDNSSuffix(partition string) string {
-	switch partition {
-	case "aws-cn":
-		return "amazonaws.com.cn"
-	case "aws-iso":
-		return "c2s.ic.gov"
-	case "aws-iso-b":
-		return "sc2s.sgov.gov"
-	case "aws-eu":
-		return "amazonaws.eu"
-	case "aws", "aws-us-gov":
-		return "amazonaws.com"
-	default:
-		return "amazonaws.com" // Default to commercial partition
+	if suffix, ok := awsPartitionDNSSuffixes[partition]; ok {
+		return suffix
+	}
+	return "amazonaws.com" // Default to commercial partition
+}
+
+// GetAllAWSPartitionDNSSuffixes returns all known AWS partition DNS suffixes.
+// This is useful for checking if a string (like a service principal) belongs
+// to any AWS partition.
+func GetAllAWSPartitionDNSSuffixes() []string {
+	// Use a map to deduplicate (aws and aws-us-gov share the same suffix)
+	seen := make(map[string]bool)
+	suffixes := make([]string, 0, len(awsPartitionDNSSuffixes))
+
+	for _, suffix := range awsPartitionDNSSuffixes {
+		if !seen[suffix] {
+			seen[suffix] = true
+			suffixes = append(suffixes, suffix)
+		}
 	}
+
+	return suffixes
 }
 
 // WrapAWSError Wraps an AWS error in the appropriate SDP error

aws-source/adapters/kms-grant.go

@@ -97,15 +97,27 @@ func grantOutputMapper(ctx context.Context, _ *kms.Client, scope string, _ *kms.
 
 			dynamodb.us-west-2.amazonaws.com
 
-			The following are not supported
+			The following are not supported (we skip them silently):
 				- arn:aws:iam::account:root
 				- arn:aws:sts::account:federated-user/user-name
 				- arn:aws:sts::account:assumed-role/role-name/role-session-name
 				- arn:aws:sts::account:self
-				- dynamodb.us-west-2.amazonaws.com => this will cause an error in ARN parsing
+				- Service principals like dynamodb.us-west-2.amazonaws.com (not ARNs, not linkable)
 		*/
 
 		for _, principal := range principals {
+			// Skip AWS service principals (e.g. "rds.eu-west-2.amazonaws.com",
+			// "dynamodb.us-west-2.amazonaws.com"). These are DNS-style identifiers
+			// for AWS services, not ARNs, and are not linkable to other items.
+			if isAWSServicePrincipal(principal) {
+				log.WithFields(log.Fields{
+					"input": principal,
+					"scope": scope,
+				}).Debug("Skipping AWS service principal (not linkable)")
+
+				continue
+			}
+
 			lIQ := &sdp.LinkedItemQuery{
 				Query: &sdp.Query{
 					Method: sdp.QueryMethod_GET,
@@ -126,7 +138,7 @@ func grantOutputMapper(ctx context.Context, _ *kms.Client, scope string, _ *kms.
 					"error": errA,
 					"input": principal,
 					"scope": scope,
-				}).Error("Error parsing principal ARN")
+				}).Warn("Error parsing principal ARN")
 
 				continue
 			}
@@ -237,3 +249,24 @@ func iamSourceAndQuery(resource string) (string, string) {
 
 	return adapter, query // user, user-name-with-path
 }
+
+// isAWSServicePrincipal returns true if the principal is an AWS service
+// principal (e.g. "rds.eu-west-2.amazonaws.com", "dynamodb.us-west-2.amazonaws.com").
+// These are DNS-style identifiers used by AWS services to assume roles or access
+// resources, and are not ARNs.
+func isAWSServicePrincipal(principal string) bool {
+	// Service principals don't start with "arn:" and end with a partition-specific
+	// DNS suffix.
+	if strings.HasPrefix(principal, "arn:") {
+		return false
+	}
+
+	// Check all AWS partition DNS suffixes using the shared list
+	for _, suffix := range GetAllAWSPartitionDNSSuffixes() {
+		if strings.HasSuffix(principal, "."+suffix) {
+			return true
+		}
+	}
+
+	return false
+}

aws-source/adapters/kms-grant_test.go

@@ -44,6 +44,82 @@ An example list grants response:
 }
 */
 
+func TestIsAWSServicePrincipal(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name      string
+		principal string
+		expected  bool
+	}{
+		{
+			name:      "RDS service principal",
+			principal: "rds.eu-west-2.amazonaws.com",
+			expected:  true,
+		},
+		{
+			name:      "DynamoDB service principal",
+			principal: "dynamodb.us-west-2.amazonaws.com",
+			expected:  true,
+		},
+		{
+			name:      "EC2 service principal",
+			principal: "ec2.amazonaws.com",
+			expected:  true,
+		},
+		{
+			name:      "China region service principal (aws-cn)",
+			principal: "rds.cn-north-1.amazonaws.com.cn",
+			expected:  true,
+		},
+		{
+			name:      "EU partition service principal (aws-eu)",
+			principal: "rds.eu-central-1.amazonaws.eu",
+			expected:  true,
+		},
+		{
+			name:      "ISO partition service principal (aws-iso)",
+			principal: "rds.us-iso-east-1.c2s.ic.gov",
+			expected:  true,
+		},
+		{
+			name:      "ISO-B partition service principal (aws-iso-b)",
+			principal: "rds.us-isob-east-1.sc2s.sgov.gov",
+			expected:  true,
+		},
+		{
+			name:      "IAM role ARN",
+			principal: "arn:aws:iam::123456789012:role/MyRole",
+			expected:  false,
+		},
+		{
+			name:      "IAM user ARN",
+			principal: "arn:aws:iam::123456789012:user/MyUser",
+			expected:  false,
+		},
+		{
+			name:      "Account root ARN",
+			principal: "arn:aws:iam::123456789012:root",
+			expected:  false,
+		},
+		{
+			name:      "Random string",
+			principal: "not-a-principal",
+			expected:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			result := isAWSServicePrincipal(tt.principal)
+			if result != tt.expected {
+				t.Errorf("isAWSServicePrincipal(%q) = %v, expected %v", tt.principal, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestGrantOutputMapper(t *testing.T) {
 	output := &kms.ListGrantsOutput{
 		Grants: []types.GrantListEntry{
@@ -109,6 +185,55 @@ func TestGrantOutputMapper(t *testing.T) {
 	tests.Execute(t, item)
 }
 
+func TestGrantOutputMapperWithServicePrincipal(t *testing.T) {
+	// Test that service principals (like dynamodb.us-west-2.amazonaws.com) are
+	// properly skipped and don't cause errors or generate linked item queries
+	output := &kms.ListGrantsOutput{
+		Grants: []types.GrantListEntry{
+			{
+				Constraints: &types.GrantConstraints{
+					EncryptionContextSubset: map[string]string{
+						"aws:dynamodb:subscriberId": "123456789012",
+						"aws:dynamodb:tableName":    "Services",
+					},
+				},
+				IssuingAccount: PtrString("arn:aws:iam::123456789012:root"),
+				Name:           PtrString("8276b9a6-6cf0-46f1-b2f0-7993a7f8c89a"),
+				Operations:     []types.GrantOperation{"Decrypt", "Encrypt"},
+				GrantId:        PtrString("1667b97d27cf748cf05b487217dd4179526c949d14fb3903858e25193253fe59"),
+				KeyId:          PtrString("arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
+				// These are service principals, not ARNs - they should be skipped
+				RetiringPrincipal: PtrString("dynamodb.us-west-2.amazonaws.com"),
+				GranteePrincipal:  PtrString("rds.eu-west-2.amazonaws.com"),
+				CreationDate:      PtrTime(time.Now()),
+			},
+		},
+	}
+
+	items, err := grantOutputMapper(context.Background(), nil, "foo", nil, output)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(items) != 1 {
+		t.Fatalf("expected 1 item, got %v", len(items))
+	}
+
+	item := items[0]
+
+	// Should only have the kms-key link, not the service principals
+	if len(item.GetLinkedItemQueries()) != 1 {
+		t.Errorf("expected 1 linked item query (kms-key only), got %v", len(item.GetLinkedItemQueries()))
+		for i, liq := range item.GetLinkedItemQueries() {
+			t.Logf("  [%d] type=%s query=%s", i, liq.GetQuery().GetType(), liq.GetQuery().GetQuery())
+		}
+	}
+
+	if item.GetLinkedItemQueries()[0].GetQuery().GetType() != "kms-key" {
+		t.Errorf("expected linked item query to be kms-key, got %s", item.GetLinkedItemQueries()[0].GetQuery().GetType())
+	}
+}
+
 func TestNewKMSGrantAdapter(t *testing.T) {
 	config, account, region := GetAutoConfig(t)
 	client := kms.NewFromConfig(config)