Is it possible to use a private S3 bucket for an OIDC provider?

1

Hi everyone,

I'm currently trying to find out, if it is possible to have a non public s3 bucket, which hosts the openid-connect and jwks files required for an open id connect provider?

So my end goal would be, that only the OIDC provider has access to the public s3 bucket.

Best, Patrick

已提問 2 年前檢視次數 1646 次
4 個答案
1

Hi,

Thank you for your answers! We want to integrate this while setup with an IAM identity provider. Are the IPs which query the endpoints well known? Or is there maybe a special principal we could allow access to the bucket (a bit like with the custom origin for cloudfront)?

Best, Patrick

已回答 2 年前
0

It depends on the definition of public bucket. You could use aws:sourceIp condition key in the bucket policy to allow only known IPs to access your bucket without authentication. In that sense, according to the AWS documentation, the bucket might not be considered anymore as public.

AWS
已回答 2 年前
0

Hi,

From the case notes I understand that you would like to know if it would be possible to have a public S3 bucket that only grants access to an OIDC provider.

It would be possible to scope down principals that can access a bucket however this would no longer be a public bucket as a public bucket would be one that can be accessed by any principal rather than only a specific one. The following would be examples of how you can restrict s3 access to a specific IPv4 or IPv6 address [1]. You can allow the specific IP address for your OIDC provider in order to limit access to only that provider.

I hope you have a great rest of your day!

References [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-4

AWS
支援工程師
已回答 2 年前
0

Hi Patrick, Were you able to make this work? Thank you

已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南