inspired by https://github.com/shrikant0013/gcp-aws-webidentityfederation
- create an AWS Role configured for Web Identity federation using Cognito or any OpenID provider
- select Google as the Identity provider in the wizard
- set the audience to a dummy value and do not add any additional conditions in the setup wizard. We will edit the trust policy after completing the wizard.
- assign any permissions needed to the role
- read up on "Available keys for AWS web identity federation" at
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html What it comes down to is that
the id-tokens that we will be using for Google service accounts include an
azp
claim (with the numeric id of the Google service account). This changes the behavior of the trust policy restrictions. A condition onaccounts.google.com:aud
will map to theazp
claim from the token, and a condition onaccounts.google.com:oaud
will map to theaud
claim of the token. We know the id-token for a service account will also include asub
claim with the numeric id of the google service account. So, for the best security we restrict theaud
,azp
andsub
claims by editing the trust relationship of the AWS role:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:aud": "100018646976219416293", "accounts.google.com:sub": "100018646976219416293", "accounts.google.com:oaud": "http://aws.skunk.team" }, "Null": { "accounts.google.com:aud": "false", "accounts.google.com:oaud": "false" } } } ] }
- Next, you can get an id-token for your service-account when running in the Google cloud, or test locally with the
gcloud
cli:aws sts assume-role-with-web-identity \ --role-arn arn:aws:iam::999999999999:role/federation-from-google \ --role-session-name my-session \ --web-identity-token $(gcloud auth print-identity-token \ --audiences=http://aws.skunk.team \ --impersonate-service-account my-service-account0@my-project.iam.gserviceaccount.com \ --include-email)