Using custom OIDC claims in trust policy for sts:AssumeRoleWithWebIdentity

Question

Assuming I have an ID token of the following format:

```json
{
  "sub": "...",
  "email": "email@example.com",
  "custom_claim": "value_here",
  "name": "...",
  "at_hash": "...",
  "sid": "....",
  "aud": "....",
  "exp": 0,
  "iat": 0,
  "iss": "..."
}
```

Is there a method of using the "custom_claim" claim inside of the Trust Policy for an IAM Role? There's been many use cases for this (CI pipelines in GitHub/GitLab is a big one among others), but there doesn't seem to be support for it.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::0123456789:oidc-provider/example.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "example.com:sub": "value_here",
                    "example.com:custom_claim": "value_here"
                }
            }
        }
    ]
}
```

Answer

I'm sorry, but that's not possible, the condition keys available are described on this page of the documentation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif, and an example of OIDC integration with GitHub is documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html on the section "Configuring a role for GitHub OIDC identity provider". Instead of this, try to explain what do you want to achieve, and hopefully we can help you to figure out a work around for your use case.

Thanks!

Using custom OIDC claims in trust policy for sts:AssumeRoleWithWebIdentity

Relevant content