We (Mozilla Enterprise Information Security team) are encountering a challenge with trying to connect AWS with our identity provider (Auth0) when calling iam:AssumeRoleWithWebIdentity
We've setup an AWS IAM Identity Provider
- ARN
arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/
- Provider type : OIDC
- Provider URL :
auth-dev.mozilla.auth0.com/
- Audience :
xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT
And created an IAM Role with a Trust Relationship policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"auth-dev.mozilla.auth0.com/:aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT"
}
}
}
]
}
When we call the sts.amazonaws.com endpoint with these parameters
'Action': 'AssumeRoleWithWebIdentity',
'RoleArn': 'arn:aws:iam::656532927350:role/gene-test-federated-role-mozlando',
'RoleSessionName': 'federated-boto-gene',
'WebIdentityToken': 'id token goes here',
'Version': '2011-06-15'
and pass an OIDC ID Token containing these values in the WebIdentityToken
parameter
{
"https://sso.mozilla.com/claim/AAL": "MEDIUM",
"iss": "https://auth-dev.mozilla.auth0.com/",
"sub": "ad|Mozilla-LDAP-Dev|gene",
"aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT",
"iat": 1544218355,
"exp": 1544254355
}
We get success and are issued AWS STS API Keys.
If however, following this aws doc we pass an oaud
claim (as oaud
is one of the 3 allowed claims to pass) things don't work.
If we instead set our IAM Trust Relationship Policy to
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::656532927350:oidc-provider/auth-dev.mozilla.auth0.com/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"auth-dev.mozilla.auth0.com/:aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT",
"auth-dev.mozilla.auth0.com/:oaud": "authenticated"
}
}
}
]
}
and pass a WebIdentityToken
with these values
{
"https://sso.mozilla.com/claim/AAL": "MEDIUM",
"oaud": "authenticated",
"iss": "https://auth-dev.mozilla.auth0.com/",
"sub": "ad|Mozilla-LDAP-Dev|gene",
"aud": "xRFzU2bj7Lrbo3875aXwyxIArdkq1AOT",
"iat": 1544218355,
"exp": 1544254355
}
calling AssumeRoleWithWebIdentity
results in Access Denied
We've tried this with other claims beyond oaud
as well with no luck. We've confirmed that sub
is passed through and we can compare against it.
Why does oaud
not work? How can we pass a claim through that we can use in our policy condition without overloading/replacing aud
or sub
, the two claims we've found we can use in our policy conditions?
I had the same issue and solved by using the
azp
claim (I had to read throughly https://docs.aws.amazon.com/en_en/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_aud). So in your example it would beWebIdentityToken
:Then, in the trust relationship policy:
It will also required to add the
some-unique-identifier
to Audience list in the OIDC provider configuration in IAM