ODIC Custom Claim using sts:AssumeRoleWithWebIdentity condition

Given the following JWT Payload:

{
  "iss": "https://use.us.auth0.com/",
  "sub": "auth0|633c9a79c4920862610fa",
  "aud": "some-aud",
  "iat": 1664984891,
  "exp": 1665071291,
  "azp": "kWfeLjcWoT1ToQKmyYZQft7liE",
  "scope": "aws:0123456789012"
}

is a trust policy such as this one not valid? I only want to issue a token if the scope matches

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/user.us.auth0.com/"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "johnnorton.us.auth0.com/:aud": "some-aud",
                    "johnnorton.us.auth0.com/:scope": "aws:0123456789012"
                }
            }
        }
    ]
}

However this condition does not seem to be validated. Are all claims available in trust policies?

hakanson
일 년 전
Does this work without the scope claim (to check syntax) or if you use a different value (to check that aws:0123456789012 isn't being treated special)? https://docs.aws.amazon.com/en_en/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif lists (:aud, :azp, :amr, sub) explicitly, but unclear about other claims.

주제

보안, 신원 및 규정 준수 AWS Well-Architected 프레임워크

태그

보안, 신원 및 규정 준수 AWS 자격 증명 및 액세스 관리 보안 IAM 정책

언어

English

norge801

질문됨 2년 전96회 조회

답변 없음

최신
최다 투표
가장 많은 댓글

ODIC Custom Claim using sts:AssumeRoleWithWebIdentity condition

관련 콘텐츠