From 29020435aeb1a9fb6401572520d0adca8155dc60 Mon Sep 17 00:00:00 2001 From: Greg Huang Date: Fri, 10 Feb 2023 13:43:31 +0800 Subject: [PATCH] fix(iam): SamlConsolePrincipal does not work in China #22091 (#24034) Support SamlConsolePrincipal for China and GOV partitions. Closes #22091. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-iam/lib/principals.ts | 2 +- .../cdk-saml-provider.assets.json | 6 +- .../cdk-saml-provider.template.json | 16 ++++- .../integ.saml-provider.js.snapshot/cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 16 ++--- .../integ.saml-provider.js.snapshot/tree.json | 62 +++++++++++++++---- .../aws-iam/test/integ.saml-provider.ts | 1 + .../@aws-cdk/aws-iam/test/principals.test.ts | 4 +- 9 files changed, 81 insertions(+), 30 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts index 895cfa8961798..c2a8004a941b4 100644 --- a/packages/@aws-cdk/aws-iam/lib/principals.ts +++ b/packages/@aws-cdk/aws-iam/lib/principals.ts @@ -736,7 +736,7 @@ export class SamlConsolePrincipal extends SamlPrincipal { super(samlProvider, { ...conditions, StringEquals: { - 'SAML:aud': 'https://signin.aws.amazon.com/saml', + 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`, }, }); } diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json index fae103cfd4d0a..564def61ef2cb 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json @@ -1,7 +1,7 @@ { - "version": "20.0.0", + "version": "29.0.0", "files": { - "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": { + "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": { "source": { "path": "cdk-saml-provider.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json", + "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json index ed4f4af28415f..7ec8d4d2699c0 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json @@ -15,7 +15,18 @@ "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { - "SAML:aud": "https://signin.aws.amazon.com/saml" + "SAML:aud": { + "Fn::Join": [ + "", + [ + "https://signin.", + { + "Ref": "AWS::URLSuffix" + }, + "/saml" + ] + ] + } } }, "Effect": "Allow", @@ -27,7 +38,8 @@ } ], "Version": "2012-10-17" - } + }, + "Description": "fix the partition issue" } } }, diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out index 588d7b269d34f..d8b441d447f8a 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"20.0.0"} \ No newline at end of file +{"version":"29.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json index 10344874a2a62..336c4cab2d4cc 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "29.0.0", "testCases": { "integ.saml-provider": { "stacks": [ diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json index bb172fae3d7a0..05a50dcfdf875 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "29.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "cdk-saml-provider.assets": { "type": "cdk:asset-manifest", "properties": { @@ -23,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -65,6 +59,12 @@ ] }, "displayName": "cdk-saml-provider" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json index d6a30bceb4ee8..e1b7975da4ab9 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "cdk-saml-provider": { "id": "cdk-saml-provider", "path": "cdk-saml-provider", @@ -44,6 +36,14 @@ "id": "Role", "path": "cdk-saml-provider/Role", "children": { + "ImportRole": { + "id": "ImportRole", + "path": "cdk-saml-provider/Role/ImportRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "cdk-saml-provider/Role/Resource", @@ -56,7 +56,18 @@ "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { - "SAML:aud": "https://signin.aws.amazon.com/saml" + "SAML:aud": { + "Fn::Join": [ + "", + [ + "https://signin.", + { + "Ref": "AWS::URLSuffix" + }, + "/saml" + ] + ] + } } }, "Effect": "Allow", @@ -68,7 +79,8 @@ } ], "Version": "2012-10-17" - } + }, + "description": "fix the partition issue" } }, "constructInfo": { @@ -81,17 +93,41 @@ "fqn": "@aws-cdk/aws-iam.Role", "version": "0.0.0" } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cdk-saml-provider/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cdk-saml-provider/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } } }, + "constructInfo": { + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.1.237" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts index e421b8c4d2b01..4de1ece7e1446 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts @@ -13,6 +13,7 @@ class TestStack extends Stack { new iam.Role(this, 'Role', { assumedBy: new iam.SamlConsolePrincipal(provider), + description: 'fix the partition issue', }); } } diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index 60e45ca6c7b0f..d57d5f6c6f59d 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -166,7 +166,9 @@ test('SAML principal', () => { Action: 'sts:AssumeRoleWithSAML', Condition: { StringEquals: { - 'SAML:aud': 'https://signin.aws.amazon.com/saml', + 'SAML:aud': { + 'Fn::Join': ['', ['https://signin.', { Ref: 'AWS::URLSuffix' }, '/saml']], + }, }, }, Effect: 'Allow',