Use an OIDC token from Azure AD or GCP to access AWS resources (workload Identity federation)



I wish to use the Workload Identity federation in order to allow an app in Azure Ad or GCP to access AWS resources. Between Azure and GCP, we can configure a trust relationship based on the claims of the JWT token : the issuer and the audience. I saw that we can add identity providers in the AWS IAM section, which allows to enter an Issuer and define an Audience and assign a role that gives access to the resource. But how does the exchange operate ? For other IdPs , we can send a simple http request to a particular endpoint (such as google sts ) containing the token as a parameter, and receive the exchanged token in the response.
Does anyone know if it is possible to implement "Workload identity Federation" with AWS ? If so, how can we proceed to exchange the tokens ?

Thanks a lot,

2 Answers
Accepted Answer


We have a readily available solution for this in IAM today:

Note: If you are using Google as your IdP then you don't need to create a separate IAM IdP in AWS as it is already built into AWS.

As noted on that linked page above, you will create your IAM policy and as part of that a trust policy.

Then if signing in from Google, the following example trust policy would apply. In this example, 666777888999000 represents the app ID that Google assigns.

      "Version": "2012-10-17",
      "Statement": [{
          "Sid": "RoleForGoogle",
          "Effect": "Allow",
          "Principal": {"Federated": ""},
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {"StringEquals": {"": "666777888999000"}}

The flow would likely be this:

Client --- authenticates to ---> Google IdP --- returns authenticated ID token to ---> Client

Client --- calls 'sts AssumeRoleWithWebIdentity' with the ID token ---> AWS STS 
AWS STS <--- validates the ID token with ---> Google IdP

AWS STS --- checks trust policy ---> IAM role

AWS STS --- returns temporary credentials to ---> Client

Client --- accesses service ---> AWS

One last thing, you must use an ID token when making the call to AssumeRoleWithWebIdentity - this does not work for a Google access token.

Hope this helps?

Kind Regards, Alex.

profile pictureAWS
answered a year ago
  • Hi Alex and many thanks for your suggestion and especially your explanations, it helped me so much. I followed the documentation you sent and after some fails I managed to implement a workload identity federation between Azure and AWS in both directions. But when trying doing so with Google as IdP, I failed to make it work. The only specific thing i did was use a GCP Service Account Unique ID as audience (in the trust relationship + in the GCP ID Token). I get an error regarding the audience so I suspect it is the root cause, I wonder what is your opinion about this. Error code : An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience Thank You,

  • @MrAnderson_ I need to solve this exact issue.

    Would you be able to share some details on how you set this up please?


Hello ,

If you are looking for a way to access AWS resources then AWS identity center is the answer, if you are looking to federate from an another idp such as Azure AD or GCP, identity center can be configured to federate users.

You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS IAM Identity Center (successor to AWS SSO) or AWS Identity and Access Management (IAM).

If you are looking for Identity management using federated identities for your custom application , then Amazon Cognito is your solution , you will need to create a userpool , update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions