- Newest
- Most votes
- Most comments
See my blog post: https://blog.identitydigest.com/azuread-federate-aws/ which provides a walkthrough for how to achieve this scenario
Hi,
To get an OpenID token for your EC2 instance you need an OpenID provider to issue these tokens. AWS itself is not an OpenID provider, the only service that can issue tokens of this type is Cognito (for example using client-credentials flow with a client-id and secret) and this will require your EC2 instance to use credentials other than the IAM role. So it will be similar to keeping AAD credentials.
You should be able to store AAD credentials in secrets manager and use the IAM permissions associated with your machine to access these secrets as needed at runtime to authenticate with workload identity federation.
@pcresswell were you ever able to find a solution to this? I'm looking to do the same thing.
@Sam At the time I was looking at this it wasn't possible (so I was told by MS). But I've not tried Uday Hegde's method described in his excellent blog post above - which looks like it achieves what I was wanting to do. So looks like it now is possible using Managed Identities.
The solution I used back then was to use the Azure Arc agent on the EC2 workload, which is a very simple setup and results in an Azure Managed Identity on the EC2 workload. (The Arc Agent includes a local service that is queried to get Azure AD tokens). https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
Thanks @pcresswell. I actually implemented Uday Hegde's blog post pattern with a lambda... works great to get an Azure AD token. Just wish that I was able to use IAM instead of cognito to get that OIDC token directly. Hoping that's a feature that AWS will incorporate into IAM/STS.
Relevant content
- Accepted Answerasked 2 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago
Thanks for the response Mahmoud. I did look at Cognito too, but as you said there wasn't a way to get a token using IAM Role temporary credentials.
Your workaround is our current state (using Secrets manager), I was hoping I would be able to avoid key refreshing and distribution of the AAD credentials by using IAM role. It seems like you can do this in reverse ok (i.e. use an OIDC token from AAD Managed Identity or GCP to access AWS resources), just not when the 'workload' is in AWS.
Thanks again for the reply.