Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): SamlConsolePrincipal returns incorrect url in GovCloud and ADC regions #25804

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-iam/lib/principals.ts
Original file line number Diff line number Diff line change
Expand Up @@ -746,7 +746,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
super(samlProvider, {
...conditions,
StringEquals: {
'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml',
},
});
}
Expand Down
78 changes: 78 additions & 0 deletions packages/aws-cdk-lib/aws-iam/test/principals.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,84 @@ test('SAML principal', () => {
});
});

test('SAML principal CN', () => {
// GIVEN
const app = new App();
const stack = new Stack(app, 'Cn', { env: { region: 'cn-northwest-1' } });
const provider = new iam.SamlProvider(stack, 'MyProvider', {
metadataDocument: iam.SamlMetadataDocument.fromXml('document'),
});

// WHEN
const principal = new iam.SamlConsolePrincipal(provider);
new iam.Role(stack, 'Role', {
assumedBy: principal,
});

// THEN
expect(stack.resolve(principal.federated)).toStrictEqual({ Ref: 'MyProvider730BA1C8' });
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
AssumeRolePolicyDocument: {
Statement: [
{
Action: 'sts:AssumeRoleWithSAML',
Condition: {
StringEquals: {
'SAML:aud': 'https://signin.amazonaws.cn/saml',
},
},
Effect: 'Allow',
Principal: {
Federated: {
Ref: 'MyProvider730BA1C8',
},
},
},
],
Version: '2012-10-17',
},
});
});

test('SAML principal UsGov', () => {
// GIVEN
const app = new App();
const stack = new Stack(app, 'UsGov', { env: { region: 'us-gov-east-1' } });
const provider = new iam.SamlProvider(stack, 'MyProvider', {
metadataDocument: iam.SamlMetadataDocument.fromXml('document'),
});

// WHEN
const principal = new iam.SamlConsolePrincipal(provider);
new iam.Role(stack, 'Role', {
assumedBy: principal,
});

// THEN
expect(stack.resolve(principal.federated)).toStrictEqual({ Ref: 'MyProvider730BA1C8' });
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
AssumeRolePolicyDocument: {
Statement: [
{
Action: 'sts:AssumeRoleWithSAML',
Condition: {
StringEquals: {
'SAML:aud': 'https://signin.amazonaws-us-gov.com/saml',
},
},
Effect: 'Allow',
Principal: {
Federated: {
Ref: 'MyProvider730BA1C8',
},
},
},
],
Version: '2012-10-17',
},
});
});

test('StarPrincipal', () => {
// GIVEN
const stack = new Stack();
Expand Down
8 changes: 8 additions & 0 deletions packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1444,3 +1444,11 @@ export const ADOT_LAMBDA_LAYER_ARNS: { [key: string]: any } = {
PYTHON_SDK: ADOT_LAMBDA_LAYER_PYTHON_SDK_ARNS,
GENERIC: ADOT_LAMBDA_LAYER_GENERIC_ARNS,
};

export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = {
[Partition.Default]: 'https://signin.aws.amazon.com/saml',
[Partition.Cn]: 'https://signin.amazonaws.cn/saml',
[Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml',
[Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml',
[Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml',
};
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
EBS_ENV_ENDPOINT_HOSTED_ZONE_IDS,
ADOT_LAMBDA_LAYER_ARNS,
CR_DEFAULT_RUNTIME_MAP,
PARTITION_SAML_SIGN_ON_URL,
} from './fact-tables';
import {
AWS_REGIONS,
Expand Down Expand Up @@ -84,6 +85,8 @@ export async function main(): Promise<void> {

registerFact(region, 'DEFAULT_CR_NODE_VERSION', CR_DEFAULT_RUNTIME_MAP[partition]);

registerFact(region, 'SAML_SIGN_ON_URL', PARTITION_SAML_SIGN_ON_URL[partition]);

const firehoseCidrBlock = FIREHOSE_CIDR_BLOCKS[region];
if (firehoseCidrBlock) {
registerFact(region, 'FIREHOSE_CIDR_BLOCK', `${FIREHOSE_CIDR_BLOCKS[region]}/27`);
Expand Down
5 changes: 5 additions & 0 deletions packages/aws-cdk-lib/region-info/lib/fact.ts
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,11 @@ export class FactName {
*/
public static readonly DEFAULT_CR_NODE_VERSION = 'defaultCrNodeVersion';

/**
* The SAML Sign On URL for partition used by IAM SAML Principal
*/
public static readonly SAML_SIGN_ON_URL = 'samlSignOnUrl';

/**
* The ARN of CloudWatch Lambda Insights for a version (e.g. 1.0.98.0)
*/
Expand Down
7 changes: 7 additions & 0 deletions packages/aws-cdk-lib/region-info/lib/region-info.ts
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,13 @@ export class RegionInfo {
return Fact.find(this.name, FactName.FIREHOSE_CIDR_BLOCK);
}

/**
* SAML Sign On URL used by IAM SAML Principals.
*/
public get samlSignOnUrl(): string | undefined {
return Fact.find(this.name, FactName.SAML_SIGN_ON_URL);
}

/**
* The ARN of the ADOT Lambda layer, for the given layer type, version and architecture.
*
Expand Down