From e47646c0ff317a421b2f042158fcc0c7ae1aa2cf Mon Sep 17 00:00:00 2001 From: Naumel <104374999+Naumel@users.noreply.github.com> Date: Wed, 22 Feb 2023 20:43:45 +0100 Subject: [PATCH] fix: Correct SamlConsolePrincipal for non-China (#24277) Closes #24243. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-iam/lib/principals.ts | 2 +- .../cdk-saml-provider.assets.json | 6 +++--- .../cdk-saml-provider.template.json | 16 ++-------------- .../test/integ.saml-provider.js.snapshot/cdk.out | 2 +- .../integ.saml-provider.js.snapshot/integ.json | 2 +- .../manifest.json | 4 ++-- ...stDefaultTestDeployAssert29A1AF64.assets.json | 2 +- .../integ.saml-provider.js.snapshot/tree.json | 16 ++-------------- .../@aws-cdk/aws-iam/test/integ.saml-provider.ts | 1 - .../@aws-cdk/aws-iam/test/principals.test.ts | 4 +--- 10 files changed, 14 insertions(+), 41 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts index db6b404cfc6e1..72c7ec400714d 100644 --- a/packages/@aws-cdk/aws-iam/lib/principals.ts +++ b/packages/@aws-cdk/aws-iam/lib/principals.ts @@ -737,7 +737,7 @@ export class SamlConsolePrincipal extends SamlPrincipal { super(samlProvider, { ...conditions, StringEquals: { - 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': `https://signin.${cdk.Aws.URL_SUFFIX}/saml`, + 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml', }, }); } diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json index 44e4011015dfe..80d435eda0cd6 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.assets.json @@ -1,7 +1,7 @@ { - "version": "30.0.0", + "version": "30.1.0", "files": { - "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c": { + "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8": { "source": { "path": "cdk-saml-provider.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json", + "objectKey": "3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json index 7ec8d4d2699c0..ed4f4af28415f 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk-saml-provider.template.json @@ -15,18 +15,7 @@ "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { - "SAML:aud": { - "Fn::Join": [ - "", - [ - "https://signin.", - { - "Ref": "AWS::URLSuffix" - }, - "/saml" - ] - ] - } + "SAML:aud": "https://signin.aws.amazon.com/saml" } }, "Effect": "Allow", @@ -38,8 +27,7 @@ } ], "Version": "2012-10-17" - }, - "Description": "fix the partition issue" + } } } }, diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out index ae4b03c54e770..b72fef144f05c 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"30.0.0"} \ No newline at end of file +{"version":"30.1.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json index dccacdf14329b..f32815f8dd836 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "30.1.0", "testCases": { "saml-provider-test/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json index 4e8a9d11b6371..222a89e020c12 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "30.1.0", "artifacts": { "cdk-saml-provider.assets": { "type": "cdk:asset-manifest", @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/adc0eedec883653ef9cbd8c66ae68791bf952df8f678cf586e78e02997e2674c.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b60cda5eb73f658ff1ab1a242bd0e399cc5307d4d6493cea0171e543c6f1cc8.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json index ce9c5f512bafd..4c340e118f1d5 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/samlprovidertestDefaultTestDeployAssert29A1AF64.assets.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "30.1.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json index e6fcd91ade7c9..da6df90bfebae 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.js.snapshot/tree.json @@ -56,18 +56,7 @@ "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { - "SAML:aud": { - "Fn::Join": [ - "", - [ - "https://signin.", - { - "Ref": "AWS::URLSuffix" - }, - "/saml" - ] - ] - } + "SAML:aud": "https://signin.aws.amazon.com/saml" } }, "Effect": "Allow", @@ -79,8 +68,7 @@ } ], "Version": "2012-10-17" - }, - "description": "fix the partition issue" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts index efaadeffe9e1f..2866e4d3e8e09 100644 --- a/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts +++ b/packages/@aws-cdk/aws-iam/test/integ.saml-provider.ts @@ -14,7 +14,6 @@ class TestStack extends Stack { new iam.Role(this, 'Role', { assumedBy: new iam.SamlConsolePrincipal(provider), - description: 'fix the partition issue', }); } } diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index 5114a55bf16ac..80e9efe10d5fb 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -166,9 +166,7 @@ test('SAML principal', () => { Action: 'sts:AssumeRoleWithSAML', Condition: { StringEquals: { - 'SAML:aud': { - 'Fn::Join': ['', ['https://signin.', { Ref: 'AWS::URLSuffix' }, '/saml']], - }, + 'SAML:aud': 'https://signin.aws.amazon.com/saml', }, }, Effect: 'Allow',