Skip to content

iam: SamlConsolePrincipal does not work for GovCloud or ADC regions #25723

Closed
#28704
Closed
iam: SamlConsolePrincipal does not work for GovCloud or ADC regions#25723
#28704
Labels
@aws-cdk/aws-iamRelated to AWS Identity and Access ManagementbugThis issue is a bug.effort/smallSmall work item – less than a day of effortgood first issueRelated to contributions. See CONTRIBUTING.mdp2
@nagmesh

Description

@nagmesh
nagmesh
opened on May 24, 2023

Describe the bug

While creating the SAML federation principal as below, the SAML attribute is hardcoded with https://signin.aws.amazon.com/saml or https://signin.amazonaws.cn/saml , which breaks in GovCloud, Iso and Iso-b partitions.

Expected Behavior

The construct SamlConsolePrincipal should check partition and supply the right URL.

Current Behavior

Only works in aws or aws-cn partition rest of the partition has to be changed.

Reproduction Steps

Use partition as aws-us-gov and the signon URL is https://signin.aws.amazon.com/saml

Possible Solution

Make a map from partition and push it in

llet samlSignOnUrl: string;
const partition = cdk.Aws.PARTITION;
if (partition === 'aws-cn') {
  samlSignOnUrl = 'https://signin.amazonaws.cn/saml';
} else if (partition === 'aws-us-gov') {
  samlSignOnUrl = 'https://signin.amazonaws-us-gov.com/saml';
} else if (partition === 'aws-iso-b') {
  samlSignOnUrl = 'https://signin.sc2shome.sgov.gov/saml';
} else if (partition === 'aws-iso') {
  samlSignOnUrl = 'https://signin.c2shome.ic.gov/saml';
} else {
  samlSignOnUrl = 'https://signin.aws.amazon.com/saml';
}

export class SamlConsolePrincipal extends SamlPrincipal {
  constructor(samlProvider: ISamlProvider, conditions: Conditions = {}) {
    super(samlProvider, {
      ...conditions,
      StringEquals: {
        'SAML:aud': samlSignOnUrl,
      },
    });
  }
...

or add saml signonUrl in fact-table and source it in SamlConsolePrincipal

Additional Information/Context

No response

CDK CLI Version

2.79.1

Framework Version

No response

Node.js Version

16

OS

macOS 12.6.5

Language

Typescript

Language Version

No response

Other information

Related issue: #22091

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-iamRelated to AWS Identity and Access ManagementbugThis issue is a bug.effort/smallSmall work item – less than a day of effortgood first issueRelated to contributions. See CONTRIBUTING.mdp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions