Skip to content

Instantly share code, notes, and snippets.

@wvanderdeijl

wvanderdeijl/federation.md

Last active January 12, 2024 16:32
Show Gist options
  • Save wvanderdeijl/c6a9a9f26149cea86039b3608e3556c1 to your computer and use it in GitHub Desktop.
Save wvanderdeijl/c6a9a9f26149cea86039b3608e3556c1 to your computer and use it in GitHub Desktop.
Download ZIP
Google Cloud service account to AWS Role federation
Raw
federation.md

Google Cloud service account to AWS Role federation

inspired by https://github.com/shrikant0013/gcp-aws-webidentityfederation

  1. create an AWS Role configured for Web Identity federation using Cognito or any OpenID provider
  2. select Google as the Identity provider in the wizard
  3. set the audience to a dummy value and do not add any additional conditions in the setup wizard. We will edit the trust policy after completing the wizard.
  4. assign any permissions needed to the role
  5. read up on "Available keys for AWS web identity federation" at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html What it comes down to is that the id-tokens that we will be using for Google service accounts include an azp claim (with the numeric id of the Google service account). This changes the behavior of the trust policy restrictions. A condition on accounts.google.com:aud will map to the azp claim from the token, and a condition on accounts.google.com:oaud will map to the aud claim of the token. We know the id-token for a service account will also include a sub claim with the numeric id of the google service account. So, for the best security we restrict the aud, azp and sub claims by editing the trust relationship of the AWS role: 
     {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": {
         "Federated": "accounts.google.com"
       },
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
         "StringEquals": {
           "accounts.google.com:aud": "100018646976219416293",
           "accounts.google.com:sub": "100018646976219416293",
           "accounts.google.com:oaud": "http://aws.skunk.team"
         },
         "Null": {
           "accounts.google.com:aud": "false",
           "accounts.google.com:oaud": "false"
         }
       }
     }
   ]
 }
  6. Next, you can get an id-token for your service-account when running in the Google cloud, or test locally with the gcloud cli: 
    aws sts assume-role-with-web-identity \
    --role-arn arn:aws:iam::999999999999:role/federation-from-google \
    --role-session-name my-session \
    --web-identity-token $(gcloud auth print-identity-token \
        --audiences=http://aws.skunk.team \
        --impersonate-service-account my-service-account0@my-project.iam.gserviceaccount.com \
        --include-email)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment