AWS Assume Role Using Custom OIDC Provider

January 7, 2022  •  aws , iam , oidc

Goal is to assume an AWS role via a custom OIDC provider. It is based on a trust relationship between the OIDC provider and AWS account. Allows assume role without credentials.

Jenkins OIDC Provider

Enable assume Role directly from Jenkin using a Jenkins OIDC provider in the target AWS account (no IAM User credentials / access key/secret).

provide similar service for Jenkins as the following for gh actions aws-actions/configure-aws-credentials see also AWS federation comes to GitHub Actions

  1. create jenkins OIDC provider server. see pfeilbr/aws-custom-nodejs-oidc-provider-server-on-heroku
  2. create a jenkins OIDC provider in AWS account (AWS::IAM::OIDCProvider)
  3. jenkins job at start creates token (guid) and persists it - e.g. JENKINS_ID_TOKEN_REQUEST_TOKEN (github actions is called ACTIONS_ID_TOKEN_REQUEST_TOKEN)
  4. jenkins job issues assume role passing in JENKINS_ID_TOKEN_REQUEST_TOKEN - see https://github.com/aws-actions/configure-aws-credentials/blob/master/index.js#L93
  JenkinsOidc:
    Type: AWS::IAM::OIDCProvider
    Condition: CreateOIDCProvider
    Properties:
      Url: https://vstoken.jenkins.company.com
      ClientIdList: 
        - sts.amazonaws.com
      ThumbprintList:
        - a031c46782e6e6c662c2c87c76da9aa62ccabd8e
  • “sub” (Subject) Claim The “sub” (subject) claim identifies the principal that is the subject of the JWT
    • e.g. for github actions it’s repo:aidansteele/aws-federation-github-actions:ref:refs/heads/main
  • “aud” (Audience) Claim The “aud” (audience) claim identifies the recipients that the JWT is intended for.
    • e.g. for github actions it’s the repo url like https://github.com/aidansteele

Resources

share on
Twitter  •  Reddit