AWS Session Tags with OIDC Federation

aws_federation_with_tags.md

AWS Session Tags with OIDC Federation

Snippet demonstrating how to setup AWS Federation for an OIDC provider which checks "custom claims" as session Tags

With this, you can define an AWS Trust Relationship for a role where you specify a custom claim.

Normally, AWS OIDC federation only allows you to set/use a very limited set of fields like aud:, sub:.

What this allows for is a very limited custom claim validation...i'm saying very limited because you apparently have to use the precise claim name aws looks for...

• Passing session tags in AWS STS
• Available keys for AWS web identity federation
• env0 OIDC With AWS

---

Essentially, if your OIDC JWT token contains the following claim:

  "aud": "https://some_audience",
  "sub": "alice@domain.com",
  "https://aws.amazon.com/tags": {
    "principal_tags": {
        "hwmodel2": ["GCP_AMD_SEV"],
        "someotherkey": ["bar"]
    },
    "transitive_tag_keys": [ "hwmodel2", "someotherkey" ]
  }

You can define an AWS Trust Policy like the following which will look for the "custom claim" which is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::291738886548:oidc-provider/idp-on-cloud-run-3kdezruzua-uc.a.run.app"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "idp-on-cloud-run-3kdezruzua-uc.a.run.app:aud": "https://some_audience",
                    "aws:RequestTag/hwmodel2": [
                        "GCP_AMD_SEV"
                    ],
                    "idp-on-cloud-run-3kdezruzua-uc.a.run.app:sub": "alice@domain.com"
                }
            }
        }
    ]
}

its all kind of limited in use since the JWT token has to have this setup anyway

---

The following sets up a sample usage using a DIY OIDC server.

NOTE Needsless to say, this is a public fake oidc server i just setup to test. If you set this up as-is below, remember to remove or disable the settings in AWS!!

git clone https://github.com/salrashid123/diy_oidc.git
cd diy_oidc
## edit templates/jwt.tmpl and add in the claims as shown below

{
  "aud": "$AUD",
  "exp": $EXP,
  "iat": $IAT,
  "iss": "$ISS",
  "nbf": $IAT,
  "sub": "$SUB",
  "name": "$NAME",
  "isadmin": "true",
  "mygroups": [
    "group1",
    "group2"
  ],
  "email": "$EMAIL",
  "email_verified": true,
  "https://aws.amazon.com/tags": {
    "principal_tags": {
        "hwmodel2": ["GCP_AMD_SEV"],
        "someotherkey": ["bar"]
    },
    "transitive_tag_keys": [ "hwmodel2", "someotherkey" ]
  }
}

cd diy_oidc
export URL="https://idp-on-cloud-run-3kdezruzua-uc.a.run.app"

export IAT=`date -u +%s`
export EXP=`date -u +%s -d "+36000000 seconds"`
export EMAIL="alice@domain.com"
export SUB="alice@domain.com"
export ISS=$URL
export NAME="alice"
export AUD="https://some_audience"
envsubst < "templates/jwt.tmpl" > "/tmp/jwt.json"

export JWT_TOKEN=`curl -s -X POST -d @/tmp/jwt.json  $URL/token?kid=rsaKeyID_1`
echo $JWT_TOKEN

to use this you need to configure an OIDC provider. Since this is a test, i used the diy_oidc described above

the .well-known url for that is:

• https://idp-on-cloud-run-3kdezruzua-uc.a.run.app/.well-known/openid-configuration

to remephasize, the diy-oidc is just for test and is public...once you finish the test, remove the config

AWS Provider

AWS Role

AWS Trust Relationship

echo -n $JWT_TOKEN > token.txt
curl -s "https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleSessionName=app1&RoleArn=arn:aws:iam::291738886548:role/cicps3role&WebIdentityToken=$JWT_TOKEN&Version=2011-06-15&alt=json"

<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <AssumeRoleWithWebIdentityResult>
    <Audience>https://some_audience</Audience>
    <AssumedRoleUser>
      <AssumedRoleId>AROAUH3H6EGKDE7GWMPWA:app1</AssumedRoleId>
      <Arn>arn:aws:sts::291738886548:assumed-role/cicps3role/app1</Arn>
    </AssumedRoleUser>
    <Provider>arn:aws:iam::291738886548:oidc-provider/idp-on-cloud-run-3kdezruzua-uc.a.run.app</Provider>
    <Credentials>
      <AccessKeyId>ASIAUH3H6EGKF332XNYD</AccessKeyId>
      <SecretAccessKey>rcRMTW2whO6EznhDN3gb3EZuoLOzeoredacted</SecretAccessKey>
      <SessionToken>FwoGZXIvYXdzEHUaDBQyGJ2HPaoN5pGKcSKKA7atPddRf28sNRxKWsXw/pKHUBHlkgbFl7G1Dk1r8lsByoDlSGCdrsCKBBan/Y4t9gTqlQEQvhPmbaMoBPR+ID67VmiwQvMP8SaYYTmjw4FxzjD/NeHAZ34rvK53+MUwhTGLeWBWGfNLqWeLUqK6Rk5Sy4F4eKM5I5FcDLAw5dkUdg/twncTMJnKO50zwn3V3gOyLVfqhir0It0b2m5nDM4aVJvwLlSA7iDnNl1vBagpjb+6dznLbagxSv52n90gb8vSbn2FjJ0aOsE8Ynek2yVMx8VTWl6KEIljo1/4h5spWn5KY0FOtb5L4SRmTskz2LjX0rLxj8QTCvCXQNM5lM6aUxo+kmZJOMz70NbopLQKELhnASXvxa7Tef95Xq/6mC/y3wfyv6FH1kuJ0gUQ1A2uetCtBSK2vac2bhejL4xXYQfzPEROCZB+5+K+s4CT0QaC9DR3pk2M3gSJ93vCxG5vnxKlk3W/zbjwlPfmea2U1jLqgwDFCMbdgDkGl5y37ec+7WtBh0E+Hjko4L3uqQYyJKZyAKlfEtrDhfbWYQJ38f28up6FNV2D2redacted</SessionToken>
      <Expiration>2023-10-27T12:28:32Z</Expiration>
    </Credentials>
    <PackedPolicySize>8</PackedPolicySize>
    <SubjectFromWebIdentityToken>alice@domain.com</SubjectFromWebIdentityToken>
  </AssumeRoleWithWebIdentityResult>
  <ResponseMetadata>
    <RequestId>5b5eeb69-4b24-4577-af27-a5afc9aa1813</RequestId>
  </ResponseMetadata>
</AssumeRoleWithWebIdentityResponse>

echo -n $JWT_TOKEN > token.txt
export AWS_WEB_IDENTITY_TOKEN_FILE=token.txt
export AWS_ROLE_ARN="arn:aws:iam::291738886548:role/cicps3role"
export AWS_ROLE_SESSION_NAME=mysession

aws s3 ls mineral-minutia --region us-east-2
  2020-08-09 22:52:08        411 README.md
  2020-11-02 19:16:00          3 foo.txt