Skip to content

Commit

Permalink
fix(iam): SamlConsolePrincipal does not work in China #22091 (#24034)
Browse files Browse the repository at this point in the history 
Support SamlConsolePrincipal for China and GOV partitions.

Closes #22091.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@zorrofox
zorrofox committed Feb 10, 2023
1 parent 1e8926f commit 2902043
Show file tree
Hide file tree
Showing 9 changed files with 81 additions and 30 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-iam/lib/principals.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -736,7 +736,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
super(samlProvider, {
...conditions,
StringEquals: {
'SAML:aud': 'https://signin.aws.amazon.com/saml',
'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
},
});
}
Expand Down
6 changes: 3 additions & 3 deletions packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "20.0.0",
"version": "29.0.0",
"files": {
"3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": {
"adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": {
"source": {
"path": "cdk-saml-provider.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
"objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
16 changes: 14 additions & 2 deletions ...ges/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,18 @@
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
"SAML:aud": {
"Fn::Join": [
"",
[
"https://signin.",
{
"Ref": "AWS::URLSuffix"
},
"/saml"
]
]
}
}
},
"Effect": "Allow",
Expand All @@ -27,7 +38,8 @@
}
],
"Version": "2012-10-17"
}
},
"Description": "fix the partition issue"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"version":"20.0.0"}
{"version":"29.0.0"}
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"version": "20.0.0",
"version": "29.0.0",
"testCases": {
"integ.saml-provider": {
"stacks": [
Expand Down
16 changes: 8 additions & 8 deletions packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,6 @@
{
"version": "20.0.0",
"version": "29.0.0",
"artifacts": {
"Tree": {
"type": "cdk:tree",
"properties": {
"file": "tree.json"
}
},
"cdk-saml-provider.assets": {
"type": "cdk:asset-manifest",
"properties": {
Expand All @@ -23,7 +17,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down Expand Up @@ -65,6 +59,12 @@
]
},
"displayName": "cdk-saml-provider"
},
"Tree": {
"type": "cdk:tree",
"properties": {
"file": "tree.json"
}
}
}
}
62 changes: 49 additions & 13 deletions packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,6 @@
"id": "App",
"path": "",
"children": {
"Tree": {
"id": "Tree",
"path": "Tree",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.1.85"
}
},
"cdk-saml-provider": {
"id": "cdk-saml-provider",
"path": "cdk-saml-provider",
Expand Down Expand Up @@ -44,6 +36,14 @@
"id": "Role",
"path": "cdk-saml-provider/Role",
"children": {
"ImportRole": {
"id": "ImportRole",
"path": "cdk-saml-provider/Role/ImportRole",
"constructInfo": {
"fqn": "@aws-cdk/core.Resource",
"version": "0.0.0"
}
},
"Resource": {
"id": "Resource",
"path": "cdk-saml-provider/Role/Resource",
Expand All @@ -56,7 +56,18 @@
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
"SAML:aud": {
"Fn::Join": [
"",
[
"https://signin.",
{
"Ref": "AWS::URLSuffix"
},
"/saml"
]
]
}
}
},
"Effect": "Allow",
Expand All @@ -68,7 +79,8 @@
}
],
"Version": "2012-10-17"
}
},
"description": "fix the partition issue"
}
},
"constructInfo": {
Expand All @@ -81,17 +93,41 @@
"fqn": "@aws-cdk/aws-iam.Role",
"version": "0.0.0"
}
},
"BootstrapVersion": {
"id": "BootstrapVersion",
"path": "cdk-saml-provider/BootstrapVersion",
"constructInfo": {
"fqn": "@aws-cdk/core.CfnParameter",
"version": "0.0.0"
}
},
"CheckBootstrapVersion": {
"id": "CheckBootstrapVersion",
"path": "cdk-saml-provider/CheckBootstrapVersion",
"constructInfo": {
"fqn": "@aws-cdk/core.CfnRule",
"version": "0.0.0"
}
}
},
"constructInfo": {
"fqn": "@aws-cdk/core.Stack",
"version": "0.0.0"
}
},
"Tree": {
"id": "Tree",
"path": "Tree",
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.1.85"
"version": "10.1.237"
}
}
},
"constructInfo": {
"fqn": "constructs.Construct",
"version": "10.1.85"
"fqn": "@aws-cdk/core.App",
"version": "0.0.0"
}
}
}
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ class TestStack extends Stack {

new iam.Role(this, 'Role', {
assumedBy: new iam.SamlConsolePrincipal(provider),
description: 'fix the partition issue',
});
}
}
Expand Down
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-iam/test/principals.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,9 @@ test('SAML principal', () => {
Action: 'sts:AssumeRoleWithSAML',
Condition: {
StringEquals: {
'SAML:aud': 'https://signin.aws.amazon.com/saml',
'SAML:aud': {
'Fn::Join': ['', ['https://signin.', { Ref: 'AWS::URLSuffix' }, '/saml']],
},
},
},
Effect: 'Allow',
Expand Down

0 comments on commit 2902043

Please sign in to comment.