According to the docs, only a certain subset of claims in an OIDC token can be used as IAM condition keys.
After tinkering around with it for a bit, I discovered that the email
claim is also supported (i.e. foo.onelogin.com/oidc/2:email
), however this is not documented.
Assuming I have an ID token like the following:
{
"sub": "...",
"email": "my-email@example.com",
"preferred_username": "some-user",
"name": "Some Person",
"params": {
"department": "engineering"
},
"at_hash": "...",
"sid": "....",
"aud": "....",
"exp": 1643911968,
"iat": 1643904768,
"iss": "https://foo.onelogin.com/oidc/2"
}
How would one be able to create a trust policy that restricts access based on params.department
?
The following trust policy does not work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::1234:oidc-provider/foo.onelogin.com/oidc/2"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"foo.onelogin.com/oidc/2:params.department": "engineering",
"foo.onelogin.com/oidc/2:aud": "...."
}
}
}
]
}