Skip to main content

aws_iam_saml_providers Resource

Use the aws_iam_saml_providers InSpec audit resource to test properties of some or all AWS IAM SAML Providers.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_iam_saml_providers resource block returns all IAM SAML Providers and allows the testing of that group of Providers.

describe aws_iam_saml_providers do
  it { should exist }
end

Parameters

saml_provider_arn (required)

This resource accepts a single parameter, the ARN of the SAML Provider. This can be passed either as a string or as a saml_provider_arn: 'value' key-value entry in a hash.

Properties

provider_arns
The ARNs of the returned providers.
valid_untils
The expiration date and time for the SAML provider.
entries
Provides access to the raw results of the query, which can be treated as an array of hashes.

Examples

Ensure we have at least one provider currently valid.

describe.one do
  aws_iam_saml_providers.provider_arns.each do |provider_arn|
    describe aws_iam_saml_provider(provider_arn) do
      it { should exist }
      its('arn') { should match("arn:aws:iam::.*:saml-provider\/FANCY") }
      its('valid_until') { should be > Time.now + 90 * 86400 }
    end
  end
end

Ensure we have one and only one SAML provider.

describe aws_iam_saml_providers do
  its('entries.count') { should cmp 1 }
end

Ensure we have at least one provider that matches.

describe aws_iam_saml_providers.where{ arn =~ /arn:aws:iam::.*:saml-provider\/FANCY/ } do
  it { should exist }
end

Matchers

For a full list of available matchers, visit the InSpec matchers page.

exist

The exists matcher tests if the filtered IAM SAML Provider(s) exists.

describe aws_iam_saml_providers.where( <property>: <param>) do
  it { should exist }
end

You may also use it { should_not exist }.

AWS Permissions

Your Principal will need the following permissions set to Allow: IAM:Client:ListSAMLProvidersResponse IAM:Client:etSAMLProviderResponse

Edit this page on GitHub

Thank you for your feedback!

×