Skip to content

Commit

Permalink
fix(iam): SamlConsolePrincipal returns incorrect url in GovCloud and …
Browse files Browse the repository at this point in the history
…ISO regions (#28704)

This PR addresses the issue where the SAML federation principal is hardcoded with URLs specific to standard AWS and China partitions, causing failures in GovCloud, Iso, and Iso-b partitions. The provided solution dynamically sets the SAML sign-on URL based on the partition.

```diff
-       'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
+       'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml',
```

```ts
export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = {
  [Partition.Default]: 'https://signin.aws.amazon.com/saml',
  [Partition.Cn]: 'https://signin.amazonaws.cn/saml',
  [Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml',
  [Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml',
  [Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml',
};
```



Closes #25723.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
badmintoncryer authored Jan 24, 2024
1 parent bdf4285 commit c1f2abb
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 4 deletions.
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-iam/lib/principals.ts
Original file line number Diff line number Diff line change
Expand Up @@ -760,7 +760,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
super(samlProvider, {
...conditions,
StringEquals: {
'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml',
},
});
}
Expand Down
13 changes: 10 additions & 3 deletions packages/aws-cdk-lib/aws-iam/test/principals.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -144,9 +144,16 @@ test('use OpenID Connect principal from provider', () => {
expect(stack.resolve(principal.federated)).toStrictEqual({ Ref: 'MyProvider730BA1C8' });
});

test('SAML principal', () => {
test.each([
{ name: 'SAML principal', region: 'us-east-1', expectedAud: 'https://signin.aws.amazon.com/saml' },
{ name: 'SAML principal CN', region: 'cn-northwest-1', expectedAud: 'https://signin.amazonaws.cn/saml' },
{ name: 'SAML principal UsGov', region: 'us-gov-east-1', expectedAud: 'https://signin.amazonaws-us-gov.com/saml' },
{ name: 'SAML principal UsIso', region: 'us-iso-east-1', expectedAud: 'https://signin.c2shome.ic.gov/saml' },
{ name: 'SAML principal UsIsoB', region: 'us-isob-east-1', expectedAud: 'https://signin.sc2shome.sgov.gov/saml' },
])('$name', ({ region, expectedAud }) => {
// GIVEN
const stack = new Stack();
const app = new App();
const stack = new Stack(app, 'TestStack', { env: { region } });
const provider = new iam.SamlProvider(stack, 'MyProvider', {
metadataDocument: iam.SamlMetadataDocument.fromXml('document'),
});
Expand All @@ -166,7 +173,7 @@ test('SAML principal', () => {
Action: 'sts:AssumeRoleWithSAML',
Condition: {
StringEquals: {
'SAML:aud': 'https://signin.aws.amazon.com/saml',
'SAML:aud': expectedAud,
},
},
Effect: 'Allow',
Expand Down
8 changes: 8 additions & 0 deletions packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3361,3 +3361,11 @@ export const ADOT_LAMBDA_LAYER_ARNS: { [key: string]: any } = {
PYTHON_SDK: ADOT_LAMBDA_LAYER_PYTHON_SDK_ARNS,
GENERIC: ADOT_LAMBDA_LAYER_GENERIC_ARNS,
};

export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = {
[Partition.Default]: 'https://signin.aws.amazon.com/saml',
[Partition.Cn]: 'https://signin.amazonaws.cn/saml',
[Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml',
[Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml',
[Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml',
};
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
ADOT_LAMBDA_LAYER_ARNS,
PARAMS_AND_SECRETS_LAMBDA_LAYER_ARNS,
APPCONFIG_LAMBDA_LAYER_ARNS,
PARTITION_SAML_SIGN_ON_URL,
} from './fact-tables';
import { AWS_CDK_METADATA } from './metadata';
import {
Expand Down Expand Up @@ -84,6 +85,8 @@ export async function main(): Promise<void> {

registerFact(region, 'APPMESH_ECR_ACCOUNT', APPMESH_ECR_ACCOUNTS[region]);

registerFact(region, 'SAML_SIGN_ON_URL', PARTITION_SAML_SIGN_ON_URL[partition]);

const firehoseCidrBlock = FIREHOSE_CIDR_BLOCKS[region];
if (firehoseCidrBlock) {
registerFact(region, 'FIREHOSE_CIDR_BLOCK', `${FIREHOSE_CIDR_BLOCKS[region]}/27`);
Expand Down
5 changes: 5 additions & 0 deletions packages/aws-cdk-lib/region-info/lib/fact.ts
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,11 @@ export class FactName {
*/
public static readonly FIREHOSE_CIDR_BLOCK = 'firehoseCidrBlock';

/**
* The SAML Sign On URL for partition used by IAM SAML Principal
*/
public static readonly SAML_SIGN_ON_URL = 'samlSignOnUrl';

/**
* The ARN of CloudWatch Lambda Insights for a version (e.g. 1.0.98.0)
*/
Expand Down
8 changes: 8 additions & 0 deletions packages/aws-cdk-lib/region-info/lib/region-info.ts
Original file line number Diff line number Diff line change
Expand Up @@ -197,4 +197,12 @@ export class RegionInfo {
public paramsAndSecretsLambdaLayerArn(version: string, architecture: string): string | undefined {
return Fact.find(this.name, FactName.paramsAndSecretsLambdaLayer(version, architecture));
}

/**
* SAML Sign On URL used by IAM SAML Principals.
*/
public get samlSignOnUrl(): string | undefined {
return Fact.find(this.name, FactName.SAML_SIGN_ON_URL);
}

}

0 comments on commit c1f2abb

Please sign in to comment.