How do I parse multiple group claims from an OIDC Token/Provider into an IAM Policy?


Suppose you want to use the "groups" claim from your OIDC provider to dictate resource access for your IAM role.

i.e. if you're in group A, you can touch resource A. A user could be in groups A, B, and C all at the same time.

All of the IAM examples so far seem to assume that a user has a single group or department attribute that dictates access (i.e. bob's department=accounting), instead of multiple (i.e. bob's departments=[accounting]). Usually this is never the case in reality and doesn't seem applicable to hardly any use cases.

Furthermore it seems that mapping the "groups" claim in an OIDC provider with Cognito Identity pools transcribes the array to a singular string (i.e. the array [groupA, groupB, groupC] is parsed to the literal string "["groupA", "groupB", "groupC"]", which is near impossible to use in IAM roles when checking access levels due to a lack of advanced string parsing.

Any ideas? Is this just not a thing in IAM? Can you just simply not use the groups claim from an OIDC provider?

1 Answer

Assuming you are using cognito for authN and implementing groups to assign roles , you have the option of using priority with in your roles. If that does not suffice you can implement RBAC as defined .

profile picture
answered 2 months ago
  • RBAC still caps out at 25 rules -> 25 roles per OIDC provider, right? So if you had more than 25 possible groups this wouldn't be a practical solution either.

    It also forces you to "pick" a single role to sign in as at a time, instead of utilizing the credentials of multiple, which isn't ideal.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions