Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AssumeRoleWithWebIdentity uses azp instead of aud as audience

0

I have setup an Auth0 OpenID Connect identity provider for AWS Identity and Access Management. The identity provider has the endpoint dev-0lv18ee7j6vvczam.eu.auth0.com/, audience https://sts.amazonaws.com, and ARN arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/ (some dummy values).

I then created an IAM role with the attached policy AmazonS3FullAccess and the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678901:oidc-provider/example.eu.auth0.com/"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "example.eu.auth0.com/:aud": "https://sts.amazonaws.com"
        }
      }
    }
  ]
}

As far as I understand, this policy should allow holders of tokens from the configured identity provider to call AssumeRoleWithWebIdentity and then call the S3 API with the returned credentials. My application now tries to call AssumeRoleWithWebIdentity with the following JWT issues by the identity provider (again, some dummy values):

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "<kid>"
}.{
  "iss": "https://example.eu.auth0.com/",
  "sub": "<user-id>",
  "aud": [
    "https://sts.amazonaws.com",
    "https://example.eu.auth0.com/userinfo"
  ],
  "iat": 1678123413,
  "exp": 1678209813,
  "azp": "<client-id>",
  "scope": "openid"
}.[Signature]

However, the following error is returned:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>Incorrect token audience</Message>
  </Error>
  <RequestId>...</RequestId>
</ErrorResponse>

Apparently, the audience in the JWT is incorrect, even though https://sts.amazonaws.com is contained in the JWT and configured in the trust policy and the identity provider. The same error occurs when removing the audience condition from the trust policy.

When changing the audience of the identity provider to the client ID of the application requesting the token, the AssumeRoleWithWebIdentity call works. If adding back the audience check in the trust policy, it only works if checking against the client ID of the application there as well (azp in the token). Why is the aud claim in the token ignored completely? Is there anything I can do about this?

Temas
Seguridad, identidad y cumplimiento
Etiquetas
AWS Identity and Access Management
Idioma
English
Felix
preguntada hace un año309 visualizaciones
1 Respuesta
0

Have observed issue with specifying multiple token audiences.... it gets parsed incorrectly at times.

  "aud": [
    "https://sts.amazonaws.com",
    "https://example.eu.auth0.com/userinfo"
  ],

Test using just the sts.amazonaws.com as the aud and check?

AWS
abeowlu
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante