-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iam: SamlConsolePrincipal does not work for GovCloud or ADC regions #25723
Comments
I think this should be a similar fix to the PR on the related issue. We're happy to accept a contribution for this 🙂 |
I would like to work on this. |
Please feel free @virajmavani! |
…ISO regions (#28704) This PR addresses the issue where the SAML federation principal is hardcoded with URLs specific to standard AWS and China partitions, causing failures in GovCloud, Iso, and Iso-b partitions. The provided solution dynamically sets the SAML sign-on URL based on the partition. ```diff - 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml', + 'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml', ``` ```ts export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = { [Partition.Default]: 'https://signin.aws.amazon.com/saml', [Partition.Cn]: 'https://signin.amazonaws.cn/saml', [Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml', [Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml', [Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml', }; ``` Closes #25723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…ISO regions (aws#28704) This PR addresses the issue where the SAML federation principal is hardcoded with URLs specific to standard AWS and China partitions, causing failures in GovCloud, Iso, and Iso-b partitions. The provided solution dynamically sets the SAML sign-on URL based on the partition. ```diff - 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml', + 'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml', ``` ```ts export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = { [Partition.Default]: 'https://signin.aws.amazon.com/saml', [Partition.Cn]: 'https://signin.amazonaws.cn/saml', [Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml', [Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml', [Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml', }; ``` Closes aws#25723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ISO regions (#28704) This PR addresses the issue where the SAML federation principal is hardcoded with URLs specific to standard AWS and China partitions, causing failures in GovCloud, Iso, and Iso-b partitions. The provided solution dynamically sets the SAML sign-on URL based on the partition. ```diff - 'SAML:aud': cdk.Aws.PARTITION==='aws-cn'? 'https://signin.amazonaws.cn/saml': 'https://signin.aws.amazon.com/saml', + 'SAML:aud': RegionInfo.get(samlProvider.stack.region).samlSignOnUrl ?? 'https://signin.aws.amazon.com/saml', ``` ```ts export const PARTITION_SAML_SIGN_ON_URL: Record<Partition, string> = { [Partition.Default]: 'https://signin.aws.amazon.com/saml', [Partition.Cn]: 'https://signin.amazonaws.cn/saml', [Partition.UsGov]: 'https://signin.amazonaws-us-gov.com/saml', [Partition.UsIso]: 'https://signin.c2shome.ic.gov/saml', [Partition.UsIsoB]: 'https://signin.sc2shome.sgov.gov/saml', }; ``` Closes #25723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
While creating the SAML federation principal as below, the SAML attribute is hardcoded with
https://signin.aws.amazon.com/saml
orhttps://signin.amazonaws.cn/saml
, which breaks in GovCloud, Iso and Iso-b partitions.Expected Behavior
The construct SamlConsolePrincipal should check partition and supply the right URL.
Current Behavior
Only works in aws or aws-cn partition rest of the partition has to be changed.
Reproduction Steps
Use partition as
aws-us-gov
and the signon URL ishttps://signin.aws.amazon.com/saml
Possible Solution
Make a map from partition and push it in
or add saml signonUrl in fact-table and source it in
SamlConsolePrincipal
Additional Information/Context
No response
CDK CLI Version
2.79.1
Framework Version
No response
Node.js Version
16
OS
macOS 12.6.5
Language
Typescript
Language Version
No response
Other information
Related issue: #22091
The text was updated successfully, but these errors were encountered: