تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

cn-partition-arn-routing

Name: Cn Partition Arn Routing
Author: aws-samples

// Diagnose and explain AWS partition ARN mismatches in China region accounts. Use this skill whenever an investigation in `cn-north-1` or `cn-northwest-1` involves ARNs starting with `arn:aws:` instead of `arn:aws-cn:`, or whenever symptoms include AccessDenied, AuthFailure, MalformedPolicyDocument, NoSuchEntity, or "principal cannot be assumed" errors against IAM roles, SNS topics, KMS keys, S3 buckets, or any other ARN-bearing resource. Triggers also include the user mentioning "partition", "aws-cn vs aws", "cross-partition", "中国区 ARN 不对", "global partition ARN in China account", "trust policy 写错了", or pasting any ARN that looks like `arn:aws:iam::*` while the account context is China. Importantly, use this skill BEFORE concluding that an IAM trust policy or resource policy is "missing permissions" — the more common root cause in China region accounts is a partition string mismatch that the agent and generic LLM debuggers consistently get wrong.

تشغيل في Manus

$ git log --oneline --stat

stars:١

forks:٠

updated:٢٨ مايو ٢٠٢٦ في ٠٣:٥٦

SKILL.md

readonly

name

cn-partition-arn-routing

description

Diagnose and explain AWS partition ARN mismatches in China region accounts. Use this skill whenever an investigation in `cn-north-1` or `cn-northwest-1` involves ARNs starting with `arn:aws:` instead of `arn:aws-cn:`, or whenever symptoms include AccessDenied, AuthFailure, MalformedPolicyDocument, NoSuchEntity, or "principal cannot be assumed" errors against IAM roles, SNS topics, KMS keys, S3 buckets, or any other ARN-bearing resource. Triggers also include the user mentioning "partition", "aws-cn vs aws", "cross-partition", "中国区 ARN 不对", "global partition ARN in China account", "trust policy 写错了", or pasting any ARN that looks like `arn:aws:iam::*` while the account context is China. Importantly, use this skill BEFORE concluding that an IAM trust policy or resource policy is "missing permissions" — the more common root cause in China region accounts is a partition string mismatch that the agent and generic LLM debuggers consistently get wrong.

Cross-Partition ARN Diagnosis for AWS China Regions

TL;DR for the agent

When you see an AccessDenied / AuthFailure / cannot assume role error in a China region account, the most common root cause is not "missing permissions" — it is a partition mismatch in the ARN. Check this before suggesting any policy edits.

The error symptom looks like a permissions problem. The cause is a name that doesn't resolve. They are not the same fix. Recommending the wrong one wastes the user's time and may make the configuration worse.

What partitions are

AWS is split into isolated partitions. ARNs encode the partition in their second segment:

Partition	Where	ARN prefix
Global	All commercial regions outside China	`arn:aws:`
China	`cn-north-1` (Beijing), `cn-northwest-1` (Ningxia)	`arn:aws-cn:`
GovCloud	`us-gov-east-1`, `us-gov-west-1`	`arn:aws-us-gov:`

China region resources only accept arn:aws-cn: ARNs. A trust policy, resource policy, IAM policy, or SNS topic policy in a China account that references arn:aws: is referencing a resource in the global partition, which the China partition cannot see — so the principal/resource appears to "not exist" even when an identically-named one exists in the same China account.

Detection rules

Apply these checks before concluding anything else.

Rule 1 — account context is China, ARN is global

If the investigation involves resources in cn-north-1 or cn-northwest-1 (or accounts whose own ARNs start with arn:aws-cn:), and you see any embedded ARN that starts with arn:aws: (not arn:aws-cn:): this is the bug, regardless of any other plausible-looking issue.

Examples that look like this:

"Principal": { "AWS": "arn:aws:iam::123456789012:role/some-role" }
                       ^^^^^^^^^^ — wrong partition, account is China

"Resource": "arn:aws:s3:::my-bucket-cn"
             ^^^^^^^^^^ — wrong partition for a China-region bucket

Rule 2 — symptom-to-cause mapping

Symptom	Plausible-but-wrong cause	Likely correct cause
`AccessDenied: User X is not authorized`	"Add `s:Action` to policy"	Wrong-partition principal in trust policy
`MalformedPolicyDocument: Invalid principal`	"Principal field formatting"	Wrong-partition ARN
`Cannot assume role`	"Add `sts:AssumeRole` to caller"	Wrong-partition role ARN
`NoSuchEntity` on a role you can see in the console	"Eventual consistency"	Caller is using `aws:` ARN but role lives in `aws-cn`
KMS `AccessDenied` in cn region	"Key policy missing grant"	Key policy references global partition principal

Rule 3 — never trust string match alone, check both ends

If the investigation pulls an IAM role's trust policy, also pull the role's own ARN and confirm both are aws-cn. A role whose ARN is arn:aws-cn:iam::*:role/foo cannot be assumed by a principal expressed as arn:aws:iam::*:user/bar — even if user/bar exists in the same account under arn:aws-cn:iam::*:user/bar, it is a different identity from the partition's perspective.

What to output when you find this

Structure the RCA exactly as follows. The user has been bitten by agents suggesting the wrong fix, so be explicit.

Root cause: cross-partition ARN mismatch.

Account context: <region>, partition aws-cn
Offending ARN:   <the bad ARN>
Where it appears: <trust policy of role X / resource policy of bucket Y / etc.>
Why this fails:  ARNs in China region accounts must use the aws-cn
                 partition prefix. The reference to aws: is treated as
                 a global-partition resource that does not exist from
                 this account's perspective. Adding permissions does
                 not fix this — the principal is unreachable, not
                 unauthorized.

Fix: change the ARN partition segment from `aws` to `aws-cn`.

  Before:  arn:aws:iam::*:role/some-role
  After:   arn:aws-cn:iam::*:role/some-role

Then offer the corrected policy as a diff or full document, and ask the user to confirm before applying.

Anti-patterns to avoid

The wrong responses an agent often produces here:

"Add sts:AssumeRole to the trust policy" — the trust policy may already be correct in shape; the principal ARN is what's wrong.
"Try detaching and reattaching the policy" — flapping the attachment doesn't change the ARN string.
"This is an IAM eventual-consistency issue, retry" — if the ARN partition is wrong, retrying never resolves it.
"Use a wildcard principal like * to test" — masks the bug and creates a security hole.
"Reference the role by name only (role/foo)" — IAM trust policies require fully-qualified ARNs in most fields.

When this skill does not apply

If the account is in a global region (e.g. us-east-1) and the ARN is arn:aws:, that's correct. Look elsewhere.
If both ARNs are already arn:aws-cn: and the error persists, the problem is genuinely a permissions or attachment issue — fall through to your normal IAM RCA approach.
If the error is ExpiredToken / InvalidClientTokenId, that's a credentials issue (see china-region-multi-account-routing skill), not a partition issue.

Tested cases

Lambda assumes role with arn:aws: trust policy in cn-north-1 → fails with AccessDenied. Changing to arn:aws-cn: resolves.
Cross-account S3 bucket policy in cn-northwest-1 references arn:aws: principal → bucket reads fail with AccessDenied. Changing to arn:aws-cn: resolves.
KMS key policy in cn account uses arn:aws: for principal → encrypt calls fail. Changing partition resolves.

related-skills.json

نفس المستودع

china-account-prevention-checks.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Proactive prevention and pre-alarm health checks across the two China region accounts (aws-cn and aws-cn-2). Use this skill when the user asks about prevention, 防护, 预防, proactive, 体检, health check, risk assessment, 潜在风险, 隐患, or "what might break soon", and when the Evaluation agent runs scheduled recommendation workflows. Looks for conditions that predict future incidents — single points of failure, service quotas nearing limits, stale AMIs, aging credentials, certificates expiring within 30 days, deprecated Lambda runtimes. This skill is distinct from cross-account-security-posture-check, which reports current-state security risk. Prevention predicts future failure; security posture describes current exposure.

2026-05-281

china-incident-mitigation.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Draft step-by-step mitigation CLI commands for a root-caused incident in either China account (aws-cn or aws-cn-2). Use this skill after RCA has identified the root cause, when the user asks for mitigation, remediation, 缓解, 修复, 回滚, rollback, restore service, 怎么修, fix it, 怎么办. Covers common mitigation patterns such as credential rotation, Kubernetes pod rollout-restart, ALB target group reattach, security group rule revoke, IAM policy rollback, and safe CloudFormation stack rollback. Output always includes the exact CLI command, a one-line explanation of what it changes, a rollback/undo command, and an explicit human approval prompt. CRITICAL — this skill NEVER executes commands autonomously; every mitigation step requires explicit user approval before running.

2026-05-281

china-incident-rca.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Root cause analysis for a triaged incident in either China account (aws-cn or aws-cn-2). Use this skill after triage has produced a Triage Card, or when the user directly asks RCA, 根本原因, 根因, 为什么挂, why did X fail, deep dive, deep investigation, 深入分析, dig into, 调查. Correlates the CloudTrail API log window around the incident, recent deploy events (CloudFormation stack events, CodeDeploy, ECR pushes, Lambda updates), metric anomalies against prior-week baseline, and cross-account blast radius — specifically, whether the same failure pattern also hit the other China account around the same time, which would suggest a shared upstream cause (IAM partition-wide, AWS region event, or common dependency). Produces a single root-cause hypothesis plus the evidence chain. Does NOT execute remediation.

2026-05-281

china-incident-triage.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

First-response triage for an incoming alarm, ticket, or failure report originating from either China account (aws-cn or aws-cn-2). Use this skill when the trigger is an alarm name, CloudWatch alarm payload, SIM ticket body, error log snippet, or a user phrase such as 告警, 出事了, 服务挂了, incident, triage, 分类, 初步判断, 看一下这个告警, what happened. Determines which of the two accounts is affected, classifies the incident into one of six classes (compute / network / identity-credentials / data / cost / unknown), estimates severity from the signal, and checks whether a similar incident fired recently so duplicates are marked. Output is a short triage card that hands off to RCA or mitigation depending on severity. This skill is the entry point of the incident response pipeline.

2026-05-281

china-region-multi-account-routing.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Routing and disambiguation guidance for the two AWS China region MCP servers exposed by this Agent Space. Use this skill whenever the user's request mentions "中国区", "China", "cn-north-1", "cn-northwest-1", "Beijing", "Ningxia", or any AWS resource that must resolve to a specific China partition account. The skill explains which MCP endpoint maps to which account, how to pick when the user does not specify, and how to label cross-account results so the user can tell them apart.

2026-05-281

cross-account-cost-attribution.md

from "aws-samples/sample-skills-for-AWS-Devops-agent"

Retrieve, compare, and attribute AWS spend across the two China region accounts (aws-cn in cn-northwest-1 and aws-cn-2 in cn-north-1). Use this skill when the user asks about cost, spend, billing, 花费, 成本, 账单, 多少钱, expensive, 贵, top services, cost breakdown, month-over-month, budget, or wants to know which China account spends more and on what. Covers month-to-date, last month, last 90 days, and custom time ranges. Also use when the user wants to correlate cost with specific resources or services (e.g. "哪个账号的 EC2 花费高"). Report totals per account, top services per account, and deltas vs previous period when available.

2026-05-281

package.json

"author": "aws-samples"

"repository": "aws-samples/sample-skills-for-AWS-Devops-agent"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

name

cn-partition-arn-routing

description

Cross-Partition ARN Diagnosis for AWS China Regions

TL;DR for the agent

What partitions are

AWS is split into isolated partitions. ARNs encode the partition in their second segment:

Partition	Where	ARN prefix
Global	All commercial regions outside China	`arn:aws:`
China	`cn-north-1` (Beijing), `cn-northwest-1` (Ningxia)	`arn:aws-cn:`
GovCloud	`us-gov-east-1`, `us-gov-west-1`	`arn:aws-us-gov:`

Detection rules

Apply these checks before concluding anything else.

Rule 1 — account context is China, ARN is global

Examples that look like this:

"Principal": { "AWS": "arn:aws:iam::123456789012:role/some-role" }
                       ^^^^^^^^^^ — wrong partition, account is China

"Resource": "arn:aws:s3:::my-bucket-cn"
             ^^^^^^^^^^ — wrong partition for a China-region bucket

Rule 2 — symptom-to-cause mapping

Symptom	Plausible-but-wrong cause	Likely correct cause
`AccessDenied: User X is not authorized`	"Add `s:Action` to policy"	Wrong-partition principal in trust policy
`MalformedPolicyDocument: Invalid principal`	"Principal field formatting"	Wrong-partition ARN
`Cannot assume role`	"Add `sts:AssumeRole` to caller"	Wrong-partition role ARN
`NoSuchEntity` on a role you can see in the console	"Eventual consistency"	Caller is using `aws:` ARN but role lives in `aws-cn`
KMS `AccessDenied` in cn region	"Key policy missing grant"	Key policy references global partition principal

Rule 3 — never trust string match alone, check both ends

What to output when you find this

Structure the RCA exactly as follows. The user has been bitten by agents suggesting the wrong fix, so be explicit.

Root cause: cross-partition ARN mismatch.

Account context: <region>, partition aws-cn
Offending ARN:   <the bad ARN>
Where it appears: <trust policy of role X / resource policy of bucket Y / etc.>
Why this fails:  ARNs in China region accounts must use the aws-cn
                 partition prefix. The reference to aws: is treated as
                 a global-partition resource that does not exist from
                 this account's perspective. Adding permissions does
                 not fix this — the principal is unreachable, not
                 unauthorized.

Fix: change the ARN partition segment from `aws` to `aws-cn`.

  Before:  arn:aws:iam::*:role/some-role
  After:   arn:aws-cn:iam::*:role/some-role

Then offer the corrected policy as a diff or full document, and ask the user to confirm before applying.

Anti-patterns to avoid

The wrong responses an agent often produces here:

"Add sts:AssumeRole to the trust policy" — the trust policy may already be correct in shape; the principal ARN is what's wrong.
"Try detaching and reattaching the policy" — flapping the attachment doesn't change the ARN string.
"This is an IAM eventual-consistency issue, retry" — if the ARN partition is wrong, retrying never resolves it.
"Use a wildcard principal like * to test" — masks the bug and creates a security hole.
"Reference the role by name only (role/foo)" — IAM trust policies require fully-qualified ARNs in most fields.

When this skill does not apply

If the account is in a global region (e.g. us-east-1) and the ARN is arn:aws:, that's correct. Look elsewhere.
If both ARNs are already arn:aws-cn: and the error persists, the problem is genuinely a permissions or attachment issue — fall through to your normal IAM RCA approach.
If the error is ExpiredToken / InvalidClientTokenId, that's a credentials issue (see china-region-multi-account-routing skill), not a partition issue.

Tested cases

Lambda assumes role with arn:aws: trust policy in cn-north-1 → fails with AccessDenied. Changing to arn:aws-cn: resolves.
Cross-account S3 bucket policy in cn-northwest-1 references arn:aws: principal → bucket reads fail with AccessDenied. Changing to arn:aws-cn: resolves.
KMS key policy in cn account uses arn:aws: for principal → encrypt calls fail. Changing partition resolves.

cn-partition-arn-routing

Cross-Partition ARN Diagnosis for AWS China Regions

TL;DR for the agent

What partitions are

Detection rules

Rule 1 — account context is China, ARN is global

Rule 2 — symptom-to-cause mapping

Rule 3 — never trust string match alone, check both ends

What to output when you find this

Anti-patterns to avoid

When this skill does not apply

Tested cases

المزيد من هذا المستودع

Cross-Partition ARN Diagnosis for AWS China Regions

TL;DR for the agent

What partitions are

Detection rules

Rule 1 — account context is China, ARN is global

Rule 2 — symptom-to-cause mapping

Rule 3 — never trust string match alone, check both ends

What to output when you find this

Anti-patterns to avoid

When this skill does not apply

Tested cases

المزيد من هذا المستودع