aws · mergify · Nov 1, 2023 · Sep 4, 2023 · Sep 4, 2023 · Sep 4, 2023
diff --git a/packages/@aws-cdk/aws-cloud9-alpha/README.md b/packages/@aws-cdk/aws-cloud9-alpha/README.md
@@ -105,7 +105,16 @@ Every Cloud9 Environment has an **owner**. An owner has full control over the en
 
 By default, the owner will be the identity that creates the Environment, which is most likely your CloudFormation Execution Role when the Environment is created using CloudFormation. Provider a value for the `owner` property to assign a different owner, either a specific IAM User or the AWS Account Root User.
 
-`Owner` is a user that owns a Cloud9 environment . `Owner` has their own access permissions, resources. And we can specify an `Owner`in an Ec2 environment which could be of two types, 1. AccountRoot and 2. Iam User. It allows AWS to determine who has permissions to manage the environment, either an IAM user or the account root user (but using the account root user is not recommended, see [environment sharing best practices](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices)).
+`Owner` is an IAM entity that owns a Cloud9 environment. `Owner` has their own access permissions, and resources. You can specify an `Owner`in an EC2 environment which could be of the following types:
+
+1. Account Root
+2. IAM User
+3. IAM Federated User
+4. IAM Assumed Role
+
+The ARN of the owner must satisfy the following regular expression: `^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):(iam|sts)::\d+:(root|(user\/[\w+=/:,.@-]{1,64}|federated-user\/[\w+=/:,.@-]{2,32}|assumed-role\/[\w+=:,.@-]{1,64}\/[\w+=,.@-]{1,64}))$`
+
+Note: Using the account root user is not recommended, see [environment sharing best practices](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices).
 
 To specify the AWS Account Root User as the environment owner, use `Owner.accountRoot()`
 
@@ -114,13 +123,14 @@ declare const vpc: ec2.Vpc;
 new cloud9.Ec2Environment(this, 'C9Env', {
   vpc,
   imageId: cloud9.ImageId.AMAZON_LINUX_2,
-
   owner: cloud9.Owner.accountRoot('111111111')
 })
 ```
 
 To specify a specific IAM User as the environment owner, use `Owner.user()`. The user should have the `AWSCloud9Administrator` managed policy
 
+The user should have the `AWSCloud9User` (preferred) or `AWSCloud9Administrator` managed policy attached.
+
 ```ts
 import * as iam from 'aws-cdk-lib/aws-iam';
 
@@ -135,9 +145,39 @@ new cloud9.Ec2Environment(this, 'C9Env', {
 })
 ```
 
+To specify a specific IAM Federated User as the environment owner, use `Owner.federatedUser(accountId, userName)`.
+
+The user should have the `AWSCloud9User` (preferred) or `AWSCloud9Administrator` managed policy attached.
+
+```ts
+import * as iam from 'aws-cdk-lib/aws-iam';
+
+declare const vpc: ec2.Vpc;
+new cloud9.Ec2Environment(this, 'C9Env', {
+  vpc,
+  imageId: cloud9.ImageId.AMAZON_LINUX_2,
+  owner: cloud9.Owner.federatedUser(Stack.of(this).account, "Admin/johndoe")
+})
+```
+
+To specify an IAM Assumed Role as the environment owner, use `Owner.assumedRole(accountId: string, roleName: string)`.
+
+The role should have the `AWSCloud9User` (preferred) or `AWSCloud9Administrator` managed policy attached.
+
+```ts
+import * as iam from 'aws-cdk-lib/aws-iam';
+
+declare const vpc: ec2.Vpc;
+new cloud9.Ec2Environment(this, 'C9Env', {
+  vpc,
+  imageId: cloud9.ImageId.AMAZON_LINUX_2,
+  owner: cloud9.Owner.assumedRole(Stack.of(this).account, "Admin/johndoe-role")
+})
+```
+
 ## Auto-Hibernation
 
-A Cloud9 environemnt can automatically start and stop the associated EC2 instance to reduce costs.
+A Cloud9 environment can automatically start and stop the associated EC2 instance to reduce costs.
 
 Use `automaticStop` to specify the number of minutes until the running instance is shut down after the environment was last used.
 

diff --git a/packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts b/packages/@aws-cdk/aws-cloud9-alpha/lib/environment.ts
@@ -257,6 +257,26 @@ export class Owner {
     return { ownerArn: user.userArn };
   }
 
+  /**
+   * Make an IAM assumed role the environment owner
+   *
+   * @param accountId The account id of the target account
+   * @param roleName The name of the assumed role
+   */
+  public static assumedRole(accountId: string, roleName: string): Owner {
+    return { ownerArn: `arn:${cdk.Aws.PARTITION}:sts::${accountId}:assumed-role/${roleName}` };
+  }
+
+  /**
+   * Make an IAM federated user the environment owner
+   *
+   * @param accountId The AccountId of the target account
+   * @param userName The name of the federated user
+   */
+  public static federatedUser(accountId: string, userName: string): Owner {
+    return { ownerArn: `arn:${cdk.Aws.PARTITION}:sts::${accountId}:federated-user/${userName}` };
+  }
+
   /**
    * Make the Account Root User the environment owner (not recommended)
    *

diff --git a/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts b/packages/@aws-cdk/aws-cloud9-alpha/test/cloud9.environment.test.ts
@@ -124,14 +124,43 @@ test('environment owner can be an IAM user', () => {
     imageId: cloud9.ImageId.AMAZON_LINUX_2,
     owner: Owner.user(user),
   });
+
   // THEN
+  const userLogicalId = stack.getLogicalId(user.node.defaultChild as iam.CfnUser);
   Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
     OwnerArn: {
-      'Fn::GetAtt': ['User00B015A1', 'Arn'],
+      'Fn::GetAtt': [userLogicalId, 'Arn'],
     },
   });
 });
 
+test('environment owner can be an IAM Assumed Role', () => {
+  // WHEN
+  new cloud9.Ec2Environment(stack, 'C9Env', {
+    vpc,
+    imageId: cloud9.ImageId.AMAZON_LINUX_2,
+    owner: Owner.assumedRole('123456789098', 'Admin'),
+  });
+  // THEN
+
+  Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
+    OwnerArn: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':sts::123456789098:assumed-role/Admin']] },
+  });
+});
+
+test('environment owner can be an IAM Federated User', () => {
+  // WHEN
+  new cloud9.Ec2Environment(stack, 'C9Env', {
+    vpc,
+    imageId: cloud9.ImageId.AMAZON_LINUX_2,
+    owner: Owner.federatedUser('123456789098', 'Admin'),
+  });
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Cloud9::EnvironmentEC2', {
+    OwnerArn: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':sts::123456789098:federated-user/Admin']] },
+  });
+});
+
 test('environment owner can be account root', () => {
   // WHEN
   new cloud9.Ec2Environment(stack, 'C9Env', {

diff --git a/...-alpha/test/integ.owner.js.snapshot/OwnerIntegDefaultTestDeployAssertEE359F09.assets.json b/...-alpha/test/integ.owner.js.snapshot/OwnerIntegDefaultTestDeployAssertEE359F09.assets.json
diff --git a/...lpha/test/integ.owner.js.snapshot/OwnerIntegDefaultTestDeployAssertEE359F09.template.json b/...lpha/test/integ.owner.js.snapshot/OwnerIntegDefaultTestDeployAssertEE359F09.template.json
diff --git a/packages/@aws-cdk/aws-cloud9-alpha/test/integ.owner.js.snapshot/cdk.out b/packages/@aws-cdk/aws-cloud9-alpha/test/integ.owner.js.snapshot/cdk.out
diff --git a/...ges/@aws-cdk/aws-cloud9-alpha/test/integ.owner.js.snapshot/cloud9-owner-integ.assets.json b/...ges/@aws-cdk/aws-cloud9-alpha/test/integ.owner.js.snapshot/cloud9-owner-integ.assets.json