fix(iam): SamlConsolePrincipal does not work in China #22091 (#24034)

zorrofox · web-flow · commit 29020435aeb1 · 2023-02-10T05:43:31.000Z
Support SamlConsolePrincipal for China and GOV partitions. Closes #22091. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts
@@ -736,7 +736,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
     super(samlProvider, {
       ...conditions,
       StringEquals: {
-        'SAML:aud': 'https://signin.aws.amazon.com/saml',
+        'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
       },
     });
   }
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "29.0.0",
   "files": {
-    "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": {
+    "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": {
       "source": {
         "path": "cdk-saml-provider.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
+          "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json
@@ -15,7 +15,18 @@
        "Action": "sts:AssumeRoleWithSAML",
        "Condition": {
         "StringEquals": {
-         "SAML:aud": "https://signin.aws.amazon.com/saml"
+         "SAML:aud": {
+          "Fn::Join": [
+           "",
+           [
+            "https://signin.",
+            {
+             "Ref": "AWS::URLSuffix"
+            },
+            "/saml"
+           ]
+          ]
+         }
         }
        },
        "Effect": "Allow",
@@ -27,7 +38,8 @@
       }
      ],
      "Version": "2012-10-17"
-    }
+    },
+    "Description": "fix the partition issue"
    }
   }
  },
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"29.0.0"}
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "29.0.0",
   "testCases": {
     "integ.saml-provider": {
       "stacks": [
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "29.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "cdk-saml-provider.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -65,6 +59,12 @@
         ]
       },
       "displayName": "cdk-saml-provider"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json
@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "cdk-saml-provider": {
         "id": "cdk-saml-provider",
         "path": "cdk-saml-provider",
@@ -44,6 +36,14 @@
             "id": "Role",
             "path": "cdk-saml-provider/Role",
             "children": {
+              "ImportRole": {
+                "id": "ImportRole",
+                "path": "cdk-saml-provider/Role/ImportRole",
+                "constructInfo": {
+                  "fqn": "@aws-cdk/core.Resource",
+                  "version": "0.0.0"
+                }
+              },
               "Resource": {
                 "id": "Resource",
                 "path": "cdk-saml-provider/Role/Resource",
@@ -56,7 +56,18 @@
                           "Action": "sts:AssumeRoleWithSAML",
                           "Condition": {
                             "StringEquals": {
-                              "SAML:aud": "https://signin.aws.amazon.com/saml"
+                              "SAML:aud": {
+                                "Fn::Join": [
+                                  "",
+                                  [
+                                    "https://signin.",
+                                    {
+                                      "Ref": "AWS::URLSuffix"
+                                    },
+                                    "/saml"
+                                  ]
+                                ]
+                              }
                             }
                           },
                           "Effect": "Allow",
@@ -68,7 +79,8 @@
                         }
                       ],
                       "Version": "2012-10-17"
-                    }
+                    },
+                    "description": "fix the partition issue"
                   }
                 },
                 "constructInfo": {
@@ -81,17 +93,41 @@
               "fqn": "@aws-cdk/aws-iam.Role",
               "version": "0.0.0"
             }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "cdk-saml-provider/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "cdk-saml-provider/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
+            }
           }
         },
+        "constructInfo": {
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.237"
         }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts
@@ -13,6 +13,7 @@ class TestStack extends Stack {
 
     new iam.Role(this, 'Role', {
       assumedBy: new iam.SamlConsolePrincipal(provider),
+      description: 'fix the partition issue',
     });
   }
 }
diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts
@@ -166,7 +166,9 @@ test('SAML principal', () => {
           Action: 'sts:AssumeRoleWithSAML',
           Condition: {
             StringEquals: {
-              'SAML:aud': 'https://signin.aws.amazon.com/saml',
+              'SAML:aud': {
+                'Fn::Join': ['', ['https://signin.', { Ref: 'AWS::URLSuffix' }, '/saml']],
+              },
             },
           },
           Effect: 'Allow',

Original file line number	Diff line number	Diff line change
`@@ -736,7 +736,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {`
`736`	`736`	`super(samlProvider, {`
`737`	`737`	`...conditions,`
`738`	`738`	`StringEquals: {`
`739`		`- 'SAML:aud': 'https://signin.aws.amazon.com/saml',`
	`739`	+ 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
`740`	`740`	`},`
`741`	`741`	`});`
`742`	`742`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,15 @@`
`1`	`1`	`{`
`2`		`- "version": "20.0.0",`
	`2`	`+ "version": "29.0.0",`
`3`	`3`	`"files": {`
`4`		`- "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": {`
	`4`	`+ "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": {`
`5`	`5`	`"source": {`
`6`	`6`	`"path": "cdk-saml-provider.template.json",`
`7`	`7`	`"packaging": "file"`
`8`	`8`	`},`
`9`	`9`	`"destinations": {`
`10`	`10`	`"current_account-current_region": {`
`11`	`11`	`"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",`
`12`		`- "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",`
	`12`	`+ "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",`
`13`	`13`	`"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"`
`14`	`14`	`}`
`15`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"version":"20.0.0"}`
	`1`	`+{"version":"29.0.0"}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "version": "20.0.0",`
	`2`	`+ "version": "29.0.0",`
`3`	`3`	`"testCases": {`
`4`	`4`	`"integ.saml-provider": {`
`5`	`5`	`"stacks": [`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ class TestStack extends Stack {`
`13`	`13`
`14`	`14`	`new iam.Role(this, 'Role', {`
`15`	`15`	`assumedBy: new iam.SamlConsolePrincipal(provider),`
	`16`	`+ description: 'fix the partition issue',`
`16`	`17`	`});`
`17`	`18`	`}`
`18`	`19`	`}`