code for article pfeilbr/aws-assume-role-using-custom-oidc-provider-playground
Goal is to assume an AWS role via a custom OIDC provider. It is based on a trust relationship between the OIDC provider and AWS account. Allows assume role without credentials.
Jenkins OIDC Provider
Enable assume Role directly from Jenkin using a Jenkins OIDC provider in the target AWS account (no IAM User credentials / access key/secret).
provide similar service for Jenkins as the following for gh actions aws-actions/configure-aws-credentials see also AWS federation comes to GitHub Actions
- create jenkins OIDC provider server. see pfeilbr/aws-custom-nodejs-oidc-provider-server-on-heroku
- create a jenkins OIDC provider in AWS account (
AWS::IAM::OIDCProvider
) - jenkins job at start creates token (guid) and persists it - e.g.
JENKINS_ID_TOKEN_REQUEST_TOKEN
(github actions is calledACTIONS_ID_TOKEN_REQUEST_TOKEN
)- e.g could be persisted to service at https://vstoken.jenkins.company.com (https://vstoken.jenkins.company.com/.well-known/openid-configuration)
- jenkins job issues assume role passing in
JENKINS_ID_TOKEN_REQUEST_TOKEN
- see https://github.com/aws-actions/configure-aws-credentials/blob/master/index.js#L93
- https://github.com/aws-actions/configure-aws-credentials/blob/master/index.js
- https://github.com/aws-actions/configure-aws-credentials/blob/master/index.js#L268 - where
ACTIONS_ID_TOKEN_REQUEST_TOKEN
is used - Secure Communication Between Actions and App
JenkinsOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://vstoken.jenkins.company.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- a031c46782e6e6c662c2c87c76da9aa62ccabd8e
- “sub” (Subject) Claim The “sub” (subject) claim identifies the principal that is the subject of the JWT
- e.g. for github actions it’s
repo:aidansteele/aws-federation-github-actions:ref:refs/heads/main
- e.g. for github actions it’s
- “aud” (Audience) Claim The “aud” (audience) claim identifies the recipients that the JWT is intended for.
- e.g. for github actions it’s the repo url like
https://github.com/aidansteele
- e.g. for github actions it’s the repo url like
Resources
- aws-actions/configure-aws-credentials
- AWS federation comes to GitHub Actions
- pfeilbr/aws-custom-nodejs-oidc-provider-server-on-heroku
- Secure Communication Between Actions and App
- Deploy on AWS using Bitbucket Pipelines OpenID Connect
- Bitbucket / Ben Kehoe Twitter Thread
Twitter • Reddit