By using AWS re:Post, you agree to the Terms of Use
/Generate OIDC token from EC2 assigned IAM Role temporary credentials/

Generate OIDC token from EC2 assigned IAM Role temporary credentials

0

Hi, I wish to use "Workload Identity Federation" to use an AWS generated OIDC token with Azure AD. The use-case for this is so that workloads running in AWS can use an assigned IAM Role to access services that are using Azure AD as the Idp. This would mean that the AWS workload would not have to store any AAD credentials. (https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)

I had assumed that there would be a way to use an IAM role Assigned to my EC2 instance to get temporary credentials (this bit is ok), and then use those to get an Open ID Connect (OIDC) token which could then be sent to AAD to be exchanged for an AAD issued token). But I haven't been able to find a way to get an OIDC token from AWS.

Would this require AWS SSO? I can only find a way to get a token from AWS SSO by first registering a client using this API: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_RegisterClient.html ... but registering a client responds with the credentials to use for getting a token, and having to store these credentials defeats the object of using the assigned IAM Role.

Does anyone know how I can get a JWT ODIC token from AWS that represents my IAM Role as the principal?

Thanks

1 Answers
0

Hi,

To get an OpenID token for your EC2 instance you need an OpenID provider to issue these tokens. AWS itself is not an OpenID provider, the only service that can issue tokens of this type is Cognito (for example using client-credentials flow with a client-id and secret) and this will require your EC2 instance to use credentials other than the IAM role. So it will be similar to keeping AAD credentials.

You should be able to store AAD credentials in secrets manager and use the IAM permissions associated with your machine to access these secrets as needed at runtime to authenticate with workload identity federation.

EXPERT
answered 5 months ago
  • Thanks for the response Mahmoud. I did look at Cognito too, but as you said there wasn't a way to get a token using IAM Role temporary credentials.

    Your workaround is our current state (using Secrets manager), I was hoping I would be able to avoid key refreshing and distribution of the AAD credentials by using IAM role. It seems like you can do this in reverse ok (i.e. use an OIDC token from AAD Managed Identity or GCP to access AWS resources), just not when the 'workload' is in AWS.

    Thanks again for the reply.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions