- Newest
- Most votes
- Most comments
Hi,
We have a readily available solution for this in IAM today: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
Note: If you are using Google as your IdP then you don't need to create a separate IAM IdP in AWS as it is already built into AWS.
As noted on that linked page above, you will create your IAM policy and as part of that a trust policy.
Then if signing in from Google, the following example trust policy would apply. In this example, 666777888999000 represents the app ID that Google assigns.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "RoleForGoogle",
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {"StringEquals": {"accounts.google.com:aud": "666777888999000"}}
}]
}
The flow would likely be this:
Client --- authenticates to ---> Google IdP --- returns authenticated ID token to ---> Client
Client --- calls 'sts AssumeRoleWithWebIdentity' with the ID token ---> AWS STS
AWS STS <--- validates the ID token with ---> Google IdP
AWS STS --- checks trust policy ---> IAM role
AWS STS --- returns temporary credentials to ---> Client
Client --- accesses service ---> AWS
One last thing, you must use an ID token when making the call to AssumeRoleWithWebIdentity - this does not work for a Google access token.
Hope this helps?
Kind Regards, Alex.
Hello ,
If you are looking for a way to access AWS resources then AWS identity center is the answer, if you are looking to federate from an another idp such as Azure AD or GCP, identity center can be configured to federate users.
You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS IAM Identity Center (successor to AWS SSO) or AWS Identity and Access Management (IAM).
https://aws.amazon.com/identity/federation/
If you are looking for Identity management using federated identities for your custom application , then Amazon Cognito is your solution , you will need to create a userpool , update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.
https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
Relevant content
- asked 3 years ago
Hi Alex and many thanks for your suggestion and especially your explanations, it helped me so much. I followed the documentation you sent and after some fails I managed to implement a workload identity federation between Azure and AWS in both directions. But when trying doing so with Google as IdP, I failed to make it work. The only specific thing i did was use a GCP Service Account Unique ID as audience (in the trust relationship + in the GCP ID Token). I get an error regarding the audience so I suspect it is the root cause, I wonder what is your opinion about this. Error code : An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience Thank You,
@MrAnderson_ I need to solve this exact issue.
Would you be able to share some details on how you set this up please?