Use an OIDC token from Azure AD or GCP to access AWS resources (workload Identity federation)

0

Hello,

I wish to use the Workload Identity federation in order to allow an app in Azure Ad or GCP to access AWS resources. Between Azure and GCP, we can configure a trust relationship based on the claims of the JWT token : the issuer and the audience. I saw that we can add identity providers in the AWS IAM section, which allows to enter an Issuer and define an Audience and assign a role that gives access to the resource. But how does the exchange operate ? For other IdPs , we can send a simple http request to a particular endpoint (such as google sts ) containing the token as a parameter, and receive the exchanged token in the response.
Does anyone know if it is possible to implement "Workload identity Federation" with AWS ? If so, how can we proceed to exchange the tokens ?

Thanks a lot,

2 個答案
1
已接受的答案

Hi,

We have a readily available solution for this in IAM today: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

Note: If you are using Google as your IdP then you don't need to create a separate IAM IdP in AWS as it is already built into AWS.

As noted on that linked page above, you will create your IAM policy and as part of that a trust policy.

Then if signing in from Google, the following example trust policy would apply. In this example, 666777888999000 represents the app ID that Google assigns.

{
      "Version": "2012-10-17",
      "Statement": [{
          "Sid": "RoleForGoogle",
          "Effect": "Allow",
          "Principal": {"Federated": "accounts.google.com"},
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {"StringEquals": {"accounts.google.com:aud": "666777888999000"}}
      }]
  }

The flow would likely be this:

Client --- authenticates to ---> Google IdP --- returns authenticated ID token to ---> Client

Client --- calls 'sts AssumeRoleWithWebIdentity' with the ID token ---> AWS STS 
      
AWS STS <--- validates the ID token with ---> Google IdP

AWS STS --- checks trust policy ---> IAM role

AWS STS --- returns temporary credentials to ---> Client

Client --- accesses service ---> AWS

One last thing, you must use an ID token when making the call to AssumeRoleWithWebIdentity - this does not work for a Google access token.

Hope this helps?

Kind Regards, Alex.

profile pictureAWS
已回答 1 年前
  • Hi Alex and many thanks for your suggestion and especially your explanations, it helped me so much. I followed the documentation you sent and after some fails I managed to implement a workload identity federation between Azure and AWS in both directions. But when trying doing so with Google as IdP, I failed to make it work. The only specific thing i did was use a GCP Service Account Unique ID as audience (in the trust relationship + in the GCP ID Token). I get an error regarding the audience so I suspect it is the root cause, I wonder what is your opinion about this. Error code : An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience Thank You,

  • @MrAnderson_ I need to solve this exact issue.

    Would you be able to share some details on how you set this up please?

1

Hello ,

If you are looking for a way to access AWS resources then AWS identity center is the answer, if you are looking to federate from an another idp such as Azure AD or GCP, identity center can be configured to federate users.

You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS IAM Identity Center (successor to AWS SSO) or AWS Identity and Access Management (IAM).

https://aws.amazon.com/identity/federation/

If you are looking for Identity management using federated identities for your custom application , then Amazon Cognito is your solution , you will need to create a userpool , update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.

https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

profile pictureAWS
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南