From d79b58ca46650f84128a3323885c9ccc0dae9293 Mon Sep 17 00:00:00 2001 From: Chinedum Echeta <60179183+cecheta@users.noreply.github.com> Date: Thu, 9 Jun 2022 22:16:37 +0200 Subject: [PATCH] fix(iam): conditions in FederatedPrincipal should be optional (#20621) Fixes https://github.com/aws/aws-cdk/issues/11139 This PR makes conditions in `FederatedPrincipal` optional. ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-iam/lib/principals.ts | 11 ++++++++--- packages/@aws-cdk/aws-iam/test/principals.test.ts | 13 +++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts index 3f7c1792f30c5..27ece9e4d59f5 100644 --- a/packages/@aws-cdk/aws-iam/lib/principals.ts +++ b/packages/@aws-cdk/aws-iam/lib/principals.ts @@ -604,19 +604,24 @@ export class CanonicalUserPrincipal extends PrincipalBase { export class FederatedPrincipal extends PrincipalBase { public readonly assumeRoleAction: string; + /** + * The conditions under which the policy is in effect. + * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html + */ + public readonly conditions: Conditions; + /** * * @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito) - * @param conditions The conditions under which the policy is in effect. - * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html). * @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) */ constructor( public readonly federated: string, - public readonly conditions: Conditions, + conditions: Conditions = {}, assumeRoleAction: string = 'sts:AssumeRole') { super(); + this.conditions = conditions; this.assumeRoleAction = assumeRoleAction; } diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index 2a1f74e2c5056..e3b1078d2a933 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -103,6 +103,19 @@ test('can have multiple principals the same conditions in the same statement', ( })); }); +test('use federated principal', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + const principal = new iam.FederatedPrincipal('federated'); + + // THEN + expect(stack.resolve(principal.federated)).toStrictEqual('federated'); + expect(stack.resolve(principal.assumeRoleAction)).toStrictEqual('sts:AssumeRole'); + expect(stack.resolve(principal.conditions)).toStrictEqual({}); +}); + test('use Web Identity principal', () => { // GIVEN const stack = new Stack();