Generate OIDC token from EC2 assigned IAM Role temporary credentials
Hi, I wish to use "Workload Identity Federation" to use an AWS generated OIDC token with Azure AD. The use-case for this is so that workloads running in AWS can use an assigned IAM Role to access services that are using Azure AD as the Idp. This would mean that the AWS workload would not have to store any AAD credentials. (https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)
I had assumed that there would be a way to use an IAM role Assigned to my EC2 instance to get temporary credentials (this bit is ok), and then use those to get an Open ID Connect (OIDC) token which could then be sent to AAD to be exchanged for an AAD issued token). But I haven't been able to find a way to get an OIDC token from AWS.
Would this require AWS SSO? I can only find a way to get a token from AWS SSO by first registering a client using this API: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_RegisterClient.html ... but registering a client responds with the credentials to use for getting a token, and having to store these credentials defeats the object of using the assigned IAM Role.
Does anyone know how I can get a JWT ODIC token from AWS that represents my IAM Role as the principal?
To get an OpenID token for your EC2 instance you need an OpenID provider to issue these tokens. AWS itself is not an OpenID provider, the only service that can issue tokens of this type is Cognito (for example using client-credentials flow with a client-id and secret) and this will require your EC2 instance to use credentials other than the IAM role. So it will be similar to keeping AAD credentials.
You should be able to store AAD credentials in secrets manager and use the IAM permissions associated with your machine to access these secrets as needed at runtime to authenticate with workload identity federation.
Thanks for the response Mahmoud. I did look at Cognito too, but as you said there wasn't a way to get a token using IAM Role temporary credentials.
Your workaround is our current state (using Secrets manager), I was hoping I would be able to avoid key refreshing and distribution of the AAD credentials by using IAM role. It seems like you can do this in reverse ok (i.e. use an OIDC token from AAD Managed Identity or GCP to access AWS resources), just not when the 'workload' is in AWS.
Thanks again for the reply.
Can ALB forward Authorization: Bearer tokens in HTTP(S) request to backend rather than x-amzn-oidc-accesstoken?asked 3 months ago
How does an EC2 instance assume an IAM Role?Accepted Answerasked 3 months ago
IAM Condition keys: How to access nested attributes in custom OIDC token claims?asked 5 months ago
How can I use Azure AD credentials for SSH into AWS EC2 Instance?Accepted Answerasked 4 months ago
Generate OIDC token from EC2 assigned IAM Role temporary credentialsasked 6 months ago
Should I use Cognito Identity Pool OIDC JWT Connect Tokens in the AWS API Gateway?asked 2 months ago
User pool third-party OIDC - token requestAccepted Answerasked 5 months ago
Is it possible to assign MFA for AWS IAM role?asked 5 months ago
Does IAM Federation with Google Workspace support user groups?asked 2 months ago