Use an OIDC token from Azure AD or GCP to access AWS resources (workload Identity federation)



I wish to use the Workload Identity federation in order to allow an app in Azure Ad or GCP to access AWS resources. Between Azure and GCP, we can configure a trust relationship based on the claims of the JWT token : the issuer and the audience. I saw that we can add identity providers in the AWS IAM section, which allows to enter an Issuer and define an Audience and assign a role that gives access to the resource. But how does the exchange operate ? For other IdPs , we can send a simple http request to a particular endpoint (such as google sts ) containing the token as a parameter, and receive the exchanged token in the response.
Does anyone know if it is possible to implement "Workload identity Federation" with AWS ? If so, how can we proceed to exchange the tokens ?

Thanks a lot,

2 Answers

Hello ,

If you are looking for a way to access AWS resources then AWS identity center is the answer, if you are looking to federate from an another idp such as Azure AD or GCP, identity center can be configured to federate users.

You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS IAM Identity Center (successor to AWS SSO) or AWS Identity and Access Management (IAM).

If you are looking for Identity management using federated identities for your custom application , then Amazon Cognito is your solution , you will need to create a userpool , update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.

profile picture
answered 6 days ago


We have a readily available solution for this in IAM today:

Note: If you are using Google as your IdP then you don't need to create a separate IAM IdP in AWS as it is already built into AWS.

As noted on that linked page above, you will create your IAM policy and as part of that a trust policy.

Then if signing in from Google, the following example trust policy would apply. In this example, 666777888999000 represents the app ID that Google assigns.

      "Version": "2012-10-17",
      "Statement": [{
          "Sid": "RoleForGoogle",
          "Effect": "Allow",
          "Principal": {"Federated": ""},
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {"StringEquals": {"": "666777888999000"}}

The flow would likely be this:

Client --- authenticates to ---> Google IdP --- returns authenticated ID token to ---> Client

Client --- calls 'sts AssumeRoleWithWebIdentity' with the ID token ---> AWS STS 
AWS STS <--- validates the ID token with ---> Google IdP

AWS STS --- checks trust policy ---> IAM role

AWS STS --- returns temporary credentials to ---> Client

Client --- accesses service ---> AWS

One last thing, you must use an ID token when making the call to AssumeRoleWithWebIdentity - this does not work for a Google access token.

Hope this helps?

Kind Regards, Alex.

profile picture
answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions