fix(iam): SamlConsolePrincipal returns incorrect url in GovCloud and …

…ISO regions (#28704) This PR addresses the issue where the SAML federation principal is hardcoded with URLs specific to standard AWS and China partitions, causing failures in GovCloud, Iso, and Iso-b partitions. The provided solution dynamically sets the SAML sign-on URL based on the partition. ```diff - 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml', + 'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml', ``` ```ts export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = { [Partition.Default]: 'https://signin.aws.amazon.com/saml', [Partition.Cn]: 'https://signin.amazonaws.cn/saml', [Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml', [Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml', [Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml', }; ``` Closes #25723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jan 24, 2024 · c1f2abb · c1f2abb
1 parent bdf4285
commit c1f2abb
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 4 deletions.
diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts
@@ -760,7 +760,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
     super(samlProvider, {
       ...conditions,
       StringEquals: {
-        'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
+        'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml',
       },
     });
   }

diff --git a/packages/aws-cdk-lib/aws-iam/test/principals.test.ts b/packages/aws-cdk-lib/aws-iam/test/principals.test.ts
@@ -144,9 +144,16 @@ test('use OpenID Connect principal from provider', () => {
   expect(stack.resolve(principal.federated)).toStrictEqual({ Ref: 'MyProvider730BA1C8' });
 });
 
-test('SAML principal', () => {
+test.each([
+  { name: 'SAML principal', region: 'us-east-1', expectedAud: 'https://signin.aws.amazon.com/saml' },
+  { name: 'SAML principal CN', region: 'cn-northwest-1', expectedAud: 'https://signin.amazonaws.cn/saml' },
+  { name: 'SAML principal UsGov', region: 'us-gov-east-1', expectedAud: 'https://signin.amazonaws-us-gov.com/saml' },
+  { name: 'SAML principal UsIso', region: 'us-iso-east-1', expectedAud: 'https://signin.c2shome.ic.gov/saml' },
+  { name: 'SAML principal UsIsoB', region: 'us-isob-east-1', expectedAud: 'https://signin.sc2shome.sgov.gov/saml' },
+])('$name', ({ region, expectedAud }) => {
   // GIVEN
-  const stack = new Stack();
+  const app = new App();
+  const stack = new Stack(app, 'TestStack', { env: { region } });
   const provider = new iam.SamlProvider(stack, 'MyProvider', {
     metadataDocument: iam.SamlMetadataDocument.fromXml('document'),
   });
@@ -166,7 +173,7 @@ test('SAML principal', () => {
           Action: 'sts:AssumeRoleWithSAML',
           Condition: {
             StringEquals: {
-              'SAML:aud': 'https://signin.aws.amazon.com/saml',
+              'SAML:aud': expectedAud,
             },
           },
           Effect: 'Allow',

diff --git a/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts b/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts
@@ -3361,3 +3361,11 @@ export const ADOT_LAMBDA_LAYER_ARNS: { [key: string]: any } = {
   PYTHON_SDK: ADOT_LAMBDA_LAYER_PYTHON_SDK_ARNS,
   GENERIC: ADOT_LAMBDA_LAYER_GENERIC_ARNS,
 };
+
+export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = {
+  [Partition.Default]: 'https://signin.aws.amazon.com/saml',
+  [Partition.Cn]: 'https://signin.amazonaws.cn/saml',
+  [Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml',
+  [Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml',
+  [Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml',
+};
diff --git a/packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts b/packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts
@@ -12,6 +12,7 @@ import {
   ADOT_LAMBDA_LAYER_ARNS,
   PARAMS_AND_SECRETS_LAMBDA_LAYER_ARNS,
   APPCONFIG_LAMBDA_LAYER_ARNS,
+  PARTITION_SAML_SIGN_ON_URL,
 } from './fact-tables';
 import { AWS_CDK_METADATA } from './metadata';
 import {
@@ -84,6 +85,8 @@ export async function main(): Promise<void> {
 
     registerFact(region, 'APPMESH_ECR_ACCOUNT', APPMESH_ECR_ACCOUNTS[region]);
 
+    registerFact(region, 'SAML_SIGN_ON_URL', PARTITION_SAML_SIGN_ON_URL[partition]);
+
     const firehoseCidrBlock = FIREHOSE_CIDR_BLOCKS[region];
     if (firehoseCidrBlock) {
       registerFact(region, 'FIREHOSE_CIDR_BLOCK', `${FIREHOSE_CIDR_BLOCKS[region]}/27`);

diff --git a/packages/aws-cdk-lib/region-info/lib/fact.ts b/packages/aws-cdk-lib/region-info/lib/fact.ts
@@ -190,6 +190,11 @@ export class FactName {
    */
   public static readonly FIREHOSE_CIDR_BLOCK = 'firehoseCidrBlock';
 
+  /**
+   * The SAML Sign On URL for partition used by IAM SAML Principal
+   */
+  public static readonly SAML_SIGN_ON_URL = 'samlSignOnUrl';
+
   /**
    * The ARN of CloudWatch Lambda Insights for a version (e.g. 1.0.98.0)
    */

diff --git a/packages/aws-cdk-lib/region-info/lib/region-info.ts b/packages/aws-cdk-lib/region-info/lib/region-info.ts
@@ -197,4 +197,12 @@ export class RegionInfo {
   public paramsAndSecretsLambdaLayerArn(version: string, architecture: string): string | undefined {
     return Fact.find(this.name, FactName.paramsAndSecretsLambdaLayer(version, architecture));
   }
+
+  /**
+   * SAML Sign On URL used by IAM SAML Principals.
+   */
+  public get samlSignOnUrl(): string | undefined {
+    return Fact.find(this.name, FactName.SAML_SIGN_ON_URL);
+  }
+
 }