IAM: ArnPrincipal withSessionTags depends on order.

[kaiz-io]

Describe the bug

Order matters if you are using withConditions and withSessionTags on an ArnPrincipal.

WithConditions will always work but it appears withSessionTags has to go last.

Expected Behavior

That it would not matter the order in which you call the methods that both modifications would occur.

Current Behavior

If you use withSessionTags then use withConditions there is no sts:SessionTag.
If you use withConditions then use withConditions there is sts:SessionTag.

Reproduction Steps

// Works as withSessionTags comes after withCondition
new ArnPrincipal(
      cdk.Arn.format({
        service: 'iam',
        account: '123456789012',
        resource: 'role',
        resourceName: roletoassume',
        region: '',
        partition: 'aws',
      }),
    ).withConditions(
      {
        'StringEquals': {
          'aws:PrincipalTag/Tag1': 'value1',
          'aws:PrincipalTag/Tag2': 'value2',
        }
      }
    ).withSessionTags();

// Does not work (there is no sts:SessionTags in the resulting policy) as withSessionTags comes before withCondition
new ArnPrincipal(
      cdk.Arn.format({
        service: 'iam',
        account: '123456789012',
        resource: 'role',
        resourceName: roletoassume',
        region: '',
        partition: 'aws',
      }),
    ).withSessionTags().withConditions(
      {
        'StringEquals': {
          'aws:PrincipalTag/Tag1': 'value1',
          'aws:PrincipalTag/Tag2': 'value2',
        }
      }
    );

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.115.0

Framework Version

No response

Node.js Version

18.17.1

OS

Ubuntu 22.04 - Linux

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

@kaizio , thanks for reporting this.