Is it possible to use a private S3 bucket for an OIDC provider?

1

Hi everyone,

I'm currently trying to find out, if it is possible to have a non public s3 bucket, which hosts the openid-connect and jwks files required for an open id connect provider?

So my end goal would be, that only the OIDC provider has access to the public s3 bucket.

Best, Patrick

已提问 2 年前1646 查看次数
4 回答
1

Hi,

Thank you for your answers! We want to integrate this while setup with an IAM identity provider. Are the IPs which query the endpoints well known? Or is there maybe a special principal we could allow access to the bucket (a bit like with the custom origin for cloudfront)?

Best, Patrick

已回答 2 年前
0

It depends on the definition of public bucket. You could use aws:sourceIp condition key in the bucket policy to allow only known IPs to access your bucket without authentication. In that sense, according to the AWS documentation, the bucket might not be considered anymore as public.

AWS
已回答 2 年前
0

Hi,

From the case notes I understand that you would like to know if it would be possible to have a public S3 bucket that only grants access to an OIDC provider.

It would be possible to scope down principals that can access a bucket however this would no longer be a public bucket as a public bucket would be one that can be accessed by any principal rather than only a specific one. The following would be examples of how you can restrict s3 access to a specific IPv4 or IPv6 address [1]. You can allow the specific IP address for your OIDC provider in order to limit access to only that provider.

I hope you have a great rest of your day!

References [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-4

AWS
支持工程师
已回答 2 年前
0

Hi Patrick, Were you able to make this work? Thank you

已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则