By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Condition keys: How to access nested attributes in custom OIDC token claims?

0

According to the docs, only a certain subset of claims in an OIDC token can be used as IAM condition keys.

After tinkering around with it for a bit, I discovered that the email claim is also supported (i.e. foo.onelogin.com/oidc/2:email), however this is not documented.

Assuming I have an ID token like the following:

{
  "sub": "...",
  "email": "my-email@example.com",
  "preferred_username": "some-user",
  "name": "Some Person",
  "params": {
    "department": "engineering"
  },
  "at_hash": "...",
  "sid": "....",
  "aud": "....",
  "exp": 1643911968,
  "iat": 1643904768,
  "iss": "https://foo.onelogin.com/oidc/2"
}

How would one be able to create a trust policy that restricts access based on params.department?

The following trust policy does not work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::1234:oidc-provider/foo.onelogin.com/oidc/2"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "foo.onelogin.com/oidc/2:params.department": "engineering",
          "foo.onelogin.com/oidc/2:aud": "...."
        }
      }
    }
  ]
}
Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access Management
Language
English
mkhattab
asked 2 years ago98 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content