Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(iam): SamlConsolePrincipal returns incorrect url in GovCloud and ISO regions #28704

Merged
merged 6 commits into from
Jan 24, 2024
Merged

fix(iam): SamlConsolePrincipal returns incorrect url in GovCloud and ISO regions #28704

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5d1f0c1
feat: support for gov and iso region
badmintoncryer Jan 13, 2024
fca673a
Merge branch 'main' into 25804-saml
badmintoncryer Jan 16, 2024
d7a8876
Merge branch 'main' into 25804-saml
badmintoncryer Jan 17, 2024
f30352f
Merge branch 'main' into 25804-saml
ConnorRobertson Jan 24, 2024
b0ef618
Merge branch 'main' into 25804-saml
ConnorRobertson Jan 24, 2024
728127f
Merge branch 'main' into 25804-saml
ConnorRobertson Jan 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-iam/lib/principals.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -760,7 +760,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
super(samlProvider, {
...conditions,
StringEquals: {
'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml',
},
});
}
Expand Down
13 changes: 10 additions & 3 deletions packages/aws-cdk-lib/aws-iam/test/principals.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,9 +144,16 @@ test('use OpenID Connect principal from provider', () => {
expect(stack.resolve(principal.federated)).toStrictEqual({ Ref: 'MyProvider730BA1C8' });
});

test('SAML principal', () => {
test.each([
{ name: 'SAML principal', region: 'us-east-1', expectedAud: 'https://signin.aws.amazon.com/saml' },
{ name: 'SAML principal CN', region: 'cn-northwest-1', expectedAud: 'https://signin.amazonaws.cn/saml' },
{ name: 'SAML principal UsGov', region: 'us-gov-east-1', expectedAud: 'https://signin.amazonaws-us-gov.com/saml' },
{ name: 'SAML principal UsIso', region: 'us-iso-east-1', expectedAud: 'https://signin.c2shome.ic.gov/saml' },
{ name: 'SAML principal UsIsoB', region: 'us-isob-east-1', expectedAud: 'https://signin.sc2shome.sgov.gov/saml' },
])('$name', ({ region, expectedAud }) => {
// GIVEN
const stack = new Stack();
const app = new App();
const stack = new Stack(app, 'TestStack', { env: { region } });
const provider = new iam.SamlProvider(stack, 'MyProvider', {
metadataDocument: iam.SamlMetadataDocument.fromXml('document'),
});
Expand All @@ -166,7 +173,7 @@ test('SAML principal', () => {
Action: 'sts:AssumeRoleWithSAML',
Condition: {
StringEquals: {
'SAML:aud': 'https://signin.aws.amazon.com/saml',
'SAML:aud': expectedAud,
},
},
Effect: 'Allow',
Expand Down
8 changes: 8 additions & 0 deletions packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3361,3 +3361,11 @@ export const ADOT_LAMBDA_LAYER_ARNS: { [key: string]: any } = {
PYTHON_SDK: ADOT_LAMBDA_LAYER_PYTHON_SDK_ARNS,
GENERIC: ADOT_LAMBDA_LAYER_GENERIC_ARNS,
};

export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = {
[Partition.Default]: 'https://signin.aws.amazon.com/saml',
[Partition.Cn]: 'https://signin.amazonaws.cn/saml',
[Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml',
[Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml',
[Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml',
};
3 changes: 3 additions & 0 deletions packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
ADOT_LAMBDA_LAYER_ARNS,
PARAMS_AND_SECRETS_LAMBDA_LAYER_ARNS,
APPCONFIG_LAMBDA_LAYER_ARNS,
PARTITION_SAML_SIGN_ON_URL,
} from './fact-tables';
import { AWS_CDK_METADATA } from './metadata';
import {
Expand Down Expand Up @@ -84,6 +85,8 @@ export async function main(): Promise<void> {

registerFact(region, 'APPMESH_ECR_ACCOUNT', APPMESH_ECR_ACCOUNTS[region]);

registerFact(region, 'SAML_SIGN_ON_URL', PARTITION_SAML_SIGN_ON_URL[partition]);

const firehoseCidrBlock = FIREHOSE_CIDR_BLOCKS[region];
if (firehoseCidrBlock) {
registerFact(region, 'FIREHOSE_CIDR_BLOCK', `${FIREHOSE_CIDR_BLOCKS[region]}/27`);
Expand Down
5 changes: 5 additions & 0 deletions packages/aws-cdk-lib/region-info/lib/fact.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,11 @@ export class FactName {
*/
public static readonly FIREHOSE_CIDR_BLOCK = 'firehoseCidrBlock';

/**
* The SAML Sign On URL for partition used by IAM SAML Principal
*/
public static readonly SAML_SIGN_ON_URL = 'samlSignOnUrl';

/**
* The ARN of CloudWatch Lambda Insights for a version (e.g. 1.0.98.0)
*/
Expand Down
8 changes: 8 additions & 0 deletions packages/aws-cdk-lib/region-info/lib/region-info.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,4 +197,12 @@ export class RegionInfo {
public paramsAndSecretsLambdaLayerArn(version: string, architecture: string): string | undefined {
return Fact.find(this.name, FactName.paramsAndSecretsLambdaLayer(version, architecture));
}

/**
* SAML Sign On URL used by IAM SAML Principals.
*/
public get samlSignOnUrl(): string | undefined {
return Fact.find(this.name, FactName.SAML_SIGN_ON_URL);
}

}