Given the following JWT Payload:
{
"iss": "https://use.us.auth0.com/",
"sub": "auth0|633c9a79c4920862610fa",
"aud": "some-aud",
"iat": 1664984891,
"exp": 1665071291,
"azp": "kWfeLjcWoT1ToQKmyYZQft7liE",
"scope": "aws:0123456789012"
}
is a trust policy such as this one not valid? I only want to issue a token if the scope matches
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/user.us.auth0.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"johnnorton.us.auth0.com/:aud": "some-aud",
"johnnorton.us.auth0.com/:scope": "aws:0123456789012"
}
}
}
]
}
However this condition does not seem to be validated. Are all claims available in trust policies?
Does this work without the scope claim (to check syntax) or if you use a different value (to check that aws:0123456789012 isn't being treated special)? https://docs.aws.amazon.com/en_en/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif lists (:aud, :azp, :amr, sub) explicitly, but unclear about other claims.