fix: Correct SamlConsolePrincipal for non-China (#24277)

Closes #24243. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 22, 2023 · e47646c · e47646c
1 parent 0b822b3
commit e47646c
Show file tree

Hide file tree

Showing 10 changed files with 14 additions and 41 deletions.
diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts
@@ -737,7 +737,7 @@ export class SamlConsolePrincipal extends SamlPrincipal {
  super(samlProvider, {
  ...conditions,
  StringEquals: {
- 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`,
+ 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml',
  },
  });
  }

diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json
@@ -1,15 +1,15 @@
 {
- "version": "30.0.0",
+ "version": "30.1.0",
  "files": {
- "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": {
+ "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": {
  "source": {
  "path": "cdk-saml-provider.template.json",
  "packaging": "file"
  },
  "destinations": {
  "current_account-current_region": {
  "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
+ "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
  }
  }

diff --git a/...ges/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json b/...ges/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json
@@ -15,18 +15,7 @@
  "Action": "sts:AssumeRoleWithSAML",
  "Condition": {
  "StringEquals": {
- "SAML:aud": {
- "Fn::Join": [
- "",
- [
- "https://signin.",
- {
- "Ref": "AWS::URLSuffix"
- },
- "/saml"
- ]
- ]
- }
+ "SAML:aud": "https://signin.aws.amazon.com/saml"
  }
  },
  "Effect": "Allow",
@@ -38,8 +27,7 @@
  }
  ],
  "Version": "2012-10-17"
- },
- "Description": "fix the partition issue"
+ }
  }
  }
  },

diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"30.0.0"}
+{"version":"30.1.0"}
diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
- "version": "30.0.0",
+ "version": "30.1.0",
  "testCases": {
  "saml-provider-test/DefaultTest": {
  "stacks": [

diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
- "version": "30.0.0",
+ "version": "30.1.0",
  "artifacts": {
  "cdk-saml-provider.assets": {
  "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
  "validateOnSynth": false,
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
  "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
- "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json",
  "requiresBootstrapStackVersion": 6,
  "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
  "additionalDependencies": [

diff --git a/...teg.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json b/...teg.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json
@@ -1,5 +1,5 @@
 {
- "version": "30.0.0",
+ "version": "30.1.0",
  "files": {
  "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
  "source": {

diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json
@@ -56,18 +56,7 @@
  "Action": "sts:AssumeRoleWithSAML",
  "Condition": {
  "StringEquals": {
- "SAML:aud": {
- "Fn::Join": [
- "",
- [
- "https://signin.",
- {
- "Ref": "AWS::URLSuffix"
- },
- "/saml"
- ]
- ]
- }
+ "SAML:aud": "https://signin.aws.amazon.com/saml"
  }
  },
  "Effect": "Allow",
@@ -79,8 +68,7 @@
  }
  ],
  "Version": "2012-10-17"
- },
- "description": "fix the partition issue"
+ }
  }
  },
  "constructInfo": {

diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts
@@ -14,7 +14,6 @@ class TestStack extends Stack {
 
  new iam.Role(this, 'Role', {
  assumedBy: new iam.SamlConsolePrincipal(provider),
- description: 'fix the partition issue',
  });
  }
 }

diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts
@@ -166,9 +166,7 @@ test('SAML principal', () => {
  Action: 'sts:AssumeRoleWithSAML',
  Condition: {
  StringEquals: {
- 'SAML:aud': {
- 'Fn::Join': ['', ['https://signin.', { Ref: 'AWS::URLSuffix' }, '/saml']],
- },
+ 'SAML:aud': 'https://signin.aws.amazon.com/saml',
  },
  },
  Effect: 'Allow',