I have setup an Auth0 OpenID Connect identity provider for AWS Identity and Access Management. The identity provider has the endpoint dev-0lv18ee7j6vvczam.eu.auth0.com/
, audience https://sts.amazonaws.com
, and ARN arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/
(some dummy values).
I then created an IAM role with the attached policy AmazonS3FullAccess
and the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAnyValue:StringEquals": {
"example.eu.auth0.com/:aud": "https://sts.amazonaws.com"
}
}
}
]
}
As far as I understand, this policy should allow holders of tokens from the configured identity provider to call AssumeRoleWithWebIdentity
and then call the S3 API with the returned credentials. My application now tries to call AssumeRoleWithWebIdentity
with the following JWT issues by the identity provider (again, some dummy values):
{
"alg": "RS256",
"typ": "JWT",
"kid": "<kid>"
}.{
"iss": "https://example.eu.auth0.com/",
"sub": "<user-id>",
"aud": [
"https://sts.amazonaws.com",
"https://example.eu.auth0.com/userinfo"
],
"iat": 1678123413,
"exp": 1678209813,
"azp": "<client-id>",
"scope": "openid"
}.[Signature]
However, the following error is returned:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>Incorrect token audience</Message>
</Error>
<RequestId>...</RequestId>
</ErrorResponse>
Apparently, the audience in the JWT is incorrect, even though https://sts.amazonaws.com
is contained in the JWT and configured in the trust policy and the identity provider. The same error occurs when removing the audience condition from the trust policy.
When changing the audience of the identity provider to the client ID of the application requesting the token, the AssumeRoleWithWebIdentity
call works. If adding back the audience check in the trust policy, it only works if checking against the client ID of the application there as well (azp
in the token). Why is the aud
claim in the token ignored completely? Is there anything I can do about this?