By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Generate OIDC token from EC2 assigned IAM Role temporary credentials

0

Hi, I wish to use "Workload Identity Federation" to use an AWS generated OIDC token with Azure AD. The use-case for this is so that workloads running in AWS can use an assigned IAM Role to access services that are using Azure AD as the Idp. This would mean that the AWS workload would not have to store any AAD credentials. (https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)

I had assumed that there would be a way to use an IAM role Assigned to my EC2 instance to get temporary credentials (this bit is ok), and then use those to get an Open ID Connect (OIDC) token which could then be sent to AAD to be exchanged for an AAD issued token). But I haven't been able to find a way to get an OIDC token from AWS.

Would this require AWS SSO? I can only find a way to get a token from AWS SSO by first registering a client using this API: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_RegisterClient.html ... but registering a client responds with the credentials to use for getting a token, and having to store these credentials defeats the object of using the assigned IAM Role.

Does anyone know how I can get a JWT ODIC token from AWS that represents my IAM Role as the principal?

Thanks

Topics
Security, Identity, & ComplianceCompute
Tags
AWS Identity and Access ManagementAmazon EC2AWS IAM Identity Center
Language
English
pcresswell
asked 2 years ago954 views
5 Answers
2

See my blog post: https://blog.identitydigest.com/azuread-federate-aws/ which provides a walkthrough for how to achieve this scenario

uday hegde
answered a year ago
0

Hi,

To get an OpenID token for your EC2 instance you need an OpenID provider to issue these tokens. AWS itself is not an OpenID provider, the only service that can issue tokens of this type is Cognito (for example using client-credentials flow with a client-id and secret) and this will require your EC2 instance to use credentials other than the IAM role. So it will be similar to keeping AAD credentials.

You should be able to store AAD credentials in secrets manager and use the IAM permissions associated with your machine to access these secrets as needed at runtime to authenticate with workload identity federation.

AWS
EXPERT
Mahmoud Matouk
answered 2 years ago
  • pcresswell
    2 years ago

    Thanks for the response Mahmoud. I did look at Cognito too, but as you said there wasn't a way to get a token using IAM Role temporary credentials.

    Your workaround is our current state (using Secrets manager), I was hoping I would be able to avoid key refreshing and distribution of the AAD credentials by using IAM role. It seems like you can do this in reverse ok (i.e. use an OIDC token from AAD Managed Identity or GCP to access AWS resources), just not when the 'workload' is in AWS.

    Thanks again for the reply.

0

@pcresswell were you ever able to find a solution to this? I'm looking to do the same thing.

Sam
answered a year ago
0

@Sam At the time I was looking at this it wasn't possible (so I was told by MS). But I've not tried Uday Hegde's method described in his excellent blog post above - which looks like it achieves what I was wanting to do. So looks like it now is possible using Managed Identities.

The solution I used back then was to use the Azure Arc agent on the EC2 workload, which is a very simple setup and results in an Azure Managed Identity on the EC2 workload. (The Arc Agent includes a local service that is queried to get Azure AD tokens). https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication

pcresswell
answered a year ago
0

Thanks @pcresswell. I actually implemented Uday Hegde's blog post pattern with a lambda... works great to get an Azure AD token. Just wish that I was able to use IAM instead of cognito to get that OIDC token directly. Hoping that's a feature that AWS will incorporate into IAM/STS.

Sam
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content