No OpenIDConnect provider found in your account

0

Hi,

I am trying to setup integration with Azure but am receiving the following error:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>No OpenIDConnect provider found in your account for https://login.microsoftonline.com/<REMOVED_FOR_FORUM_POST>/v2.0/</Message>
  </Error>
  <RequestId>82858d99-0a97-11e8-9deb-e557727bf59c</RequestId>
</ErrorResponse
>```

I am just making a simple cURL call:  
  
_curl "https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleSessionName=app1&RoleArn=arn:aws:iam::<MY_TENANT_ID>:role/AWS-TEST-OIDC-AZURE&WebIdentityToken=<THE_TOKEN_PROVIDED>&Version=2011-06-15"_  
  
I have followed the instructions posted at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html (and the pages surrounding it).  
  
The OIDC provider is correctly setup, the role is correctly setup, the role is correctly defined.  
  
See also RequestID 5e2a5284-0aaa-11e8-8b03-53c6fa7390a4 which is with an alternate config, but still does not work,  
  
Edited by: devrandom on Feb 5, 2018 7:29 PM
질문됨 6년 전9954회 조회
2개 답변
0

I had the same problem and it was difficult to troubleshoot. My problem appears to have been leaving a trailing slash in the oidc provider URL as part of the identity provider setup.

not working: https://provider.com/endpoint/
working: https://provider.com/endpoint

Changing the trust policy to include the trailing slash did not fix the issue either - the only way I could solve this issue was to delete the OIDC provider and re-create it without the trailing slash.

The exact error message I was seeing:
InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for <provider>

The hint was the error message did not display the trailing slash no matter what was in the trust policy.

답변함 6년 전
0

I think it depends on how you are using it. The aws-sdk may require a non trailing slash. HOWEVER the aws-cli adds the trailing slash automatically. I needed to include the trailing slash in the openid connect provider setup AND the trust policy. This is because the aws cli generates the openid url connect for the user and there is no way to edit that behavior unless you hack the python library underneath.

답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠