We (Mozilla Enterprise Information Security team) are encountering a challenge with trying to connect AWS with our identity provider (Auth0) when calling iam:AssumeRoleWithWebIdentity
We've setup an AWS IAM Identity Provider
- ARN
arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/
- Provider type : OIDC
- Provider URL :
auth-dev.mozilla.auth0.com/
- Audience :
xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT
And created an IAM Role with a Trust Relationship policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"auth-dev.mozilla.auth0.com/:aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT"
}
}
}
]
}
When we call the sts.amazonaws.com endpoint with these parameters
'Action': 'AssumeRoleWithWebIdentity',
'RoleArn': 'arn:aws:iam::656532927350:role/gene-test-federated-role-mozlando',
'RoleSessionName': 'federated-boto-gene',
'WebIdentityToken': 'id token goes here',
'Version': '2011-06-15'
and pass an OIDC ID Token containing these values in the WebIdentityToken
parameter
{
"https://sso.mozilla.com/claim/AAL": "MEDIUM",
"iss": "https://auth-dev.mozilla.auth0.com/",
"sub": "ad|Mozilla-LDAP-Dev|gene",
"aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT",
"iat": 1544218355,
"exp": 1544254355
}
We get success and are issued AWS STS API Keys.
If however, following this aws doc we pass an oaud
claim (as oaud
is one of the 3 allowed claims to pass) things don't work.
If we instead set our IAM Trust Relationship Policy to
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"auth-dev.mozilla.auth0.com/:aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT",
"auth-dev.mozilla.auth0.com/:oaud": "authenticated"
}
}
}
]
}
and pass a WebIdentityToken
with these values
{
"https://sso.mozilla.com/claim/AAL": "MEDIUM",
"oaud": "authenticated",
"iss": "https://auth-dev.mozilla.auth0.com/",
"sub": "ad|Mozilla-LDAP-Dev|gene",
"aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT",
"iat": 1544218355,
"exp": 1544254355
}
calling AssumeRoleWithWebIdentity
results in Access Denied
We've tried this with other claims beyond oaud
as well with no luck. We've confirmed that sub
is passed through and we can compare against it.
Why does oaud
not work? How can we pass a claim through that we can use in our policy condition without overloading/replacing aud
or sub
, the two claims we've found we can use in our policy conditions?