iam: SAML principal AssumeRoleAction is hardcoded

[justin8]

Describe the bug

Currently when defining an assume role policy on a role the action is hardcoded to sts:AssumeRoleWithSAML' [here](https://github.com/aws/aws-cdk/blob/v2.132.0/packages/aws-cdk-lib/aws-iam/lib/principals.ts#L746). However for some use cases, such as Quicksight's own SAML integration, you also need sts:TagSession` in order to use the email sync feature.

Expected Behavior

You should be able to modify the assume role action and just have a default, not a hardcoded action.

Current Behavior

It's hardcoded and requires the use of escape hatches such as:

    const cfnFederationRole = federationRole.node.defaultChild as iam.CfnRole;
    cfnFederationRole.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Action', [
      'stsAssumeRoleWithSAML',
      'sts:TagSession',
    ]);

Reproduction Steps

    const federationRolePrincipal = new iam.SamlPrincipal(samlProvider, {
      StringEquals: { 'SAML:aud': 'https://signin.aws.amazon.com/saml' },
    });

    const federationRole = new iam.Role(this, 'QuicksightFederationRole', {
      roleName: 'QuicksightFederationRole',
      assumedBy: federationRolePrincipal,
    });

    const cfnFederationRole = federationRole.node.defaultChild as iam.CfnRole;
    cfnFederationRole.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Action', [
      'stsAssumeRoleWithSAML',
      'sts:TagSession',
    ]);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.126.0

Framework Version

No response

Node.js Version

18

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

However for some use cases, such as Quicksight's own SAML integration, you also need sts:TagSession` in order to use the email sync feature.

Do you have any public document link about this?

We probably need to update here

aws-cdk/packages/aws-cdk-lib/aws-iam/lib/principals.ts

Lines 741 to 752 in 0c73143

	/**
	* Principal entity that represents a SAML federated identity provider
	*/
	export class SamlPrincipal extends FederatedPrincipal {
	constructor(samlProvider: ISamlProvider, conditions: Conditions) {
	super(samlProvider.samlProviderArn, conditions, 'sts:AssumeRoleWithSAML');
	}
	public toString() {
	return `SamlPrincipal(${this.federated})`;
	}
	}

[justin8]

There is an example in the docs here for implementing ABAC using tags and SAML IdP integration: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html

For Quicksight, it has it in their docs to add sts:TagSession permissions to the SAML integration role as well: https://docs.aws.amazon.com/quicksight/latest/user/jit-email-syncing.html

[msambol]

I'll take this.

[msambol]

@justin8 I think you should be able to use federationRolePrincipal.addToAssumeRolePolicy.....

EDIT: ignore this..not right.

[justin8]

I did the same thing :) I tried that thinking it sounded correct, then ended up reading through the code to see that it wouldn't work

[msambol]

Try adding withSessionTags():

    const federationRolePrincipal = new iam.SamlPrincipal(samlProvider, {
      StringEquals: { 'SAML:aud': 'https://signin.aws.amazon.com/saml' },
    }).withSessionTags();

[justin8]

Ah! Thank you, you're right that does fix the issue, I must've missed that function.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.