iam: OpenIdConnectProvider ignores the @aws-cdk/aws-iam:oidcRejectUnauthorizedConnections feature flag
#33251
Comments
tobigumo
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
|
I am pertty sure it works in 2.177.0 export class GithubActionsProvider extends Stack {
public readonly provider: iam.OpenIdConnectProvider;
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// create a openid connect provider
const provider = new iam.OpenIdConnectProvider(
this,
"GithubActionsProvider",
{
url: "https://token.actions.githubusercontent.com",
clientIds: ["sts.amazonaws.com"],
},
);
this.provider = provider;
}
}#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { GithubActionsProvider } from '../lib/issue-triage-stack';
const devEnv = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
};
const app = new cdk.App();
new GithubActionsProvider(app, 'GithubActionsProvider', {
env: devEnv
});cdk.json % npx cdk synth | grep RejectUnauthorized or optionally define in the App context const app = new cdk.App({
context: {
'@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections': true
}
});% npx cdk synth | grep RejectUnauthorized % npx cdk version % grep aws-cdk-lib package.json If you are writing integ tets, you can try specify in App context. |
pahud
added
response-requested
|
Thank you for the suggestion. As you demonstrated, I confirmed that explicitly specifying the context in the test’s I had mistakenly assumed that the flag in Thank you again for your help. |
|
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
While running snapshot tests, I noticed that starting from CDK v2.177.0, the GithubActionsProvider resource now includes a
RejectUnauthorizedproperty.According to the feature flags documentation for v2.177.0, a new feature flag called
@aws-cdk/aws-iam:oidcRejectUnauthorizedConnectionsshould enable or disable this property.However, even after enabling the flag, the synthesized template still shows
"RejectUnauthorized": false."GithubActionsProvider6504FFAA": { "DeletionPolicy": "Delete", "Properties": { "ClientIDList": [ "sts.amazonaws.com", ], "CodeHash": "62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb", + "RejectUnauthorized": false, "ServiceToken": { "Fn::GetAtt": [ "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0", "Arn", ], }, "Url": "https://token.actions.githubusercontent.com", },My cdk.json includes the following context:
{ // ... "context": { // ... "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true } }Despite setting this flag to true, the resulting CloudFormation template shows "RejectUnauthorized": false.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
When
@aws-cdk/aws-iam:oidcRejectUnauthorizedConnectionsis set to true, I would expect the generated template to set"RejectUnauthorized": true.Current Behavior
The synthesized CloudFormation template retains
"RejectUnauthorized": falseregardless of the feature flag being enabled.Reproduction Steps
Below is my code that creates this resource:
Possible Solution
No response
Additional Information/Context
I ran at my macOS and Github Actions' ubuntu-latest
CDK CLI Version
2.177.0 (build b396961)
Framework Version
"aws-cdk-lib": "2.177.0"
Node.js Version
v22.11.0
OS
macOS 15.1.1
Language
TypeScript
Language Version
5.7.3
Other information
No response
The text was updated successfully, but these errors were encountered: