I'm looking for advice on the best way to handle authentication for our service users that interact with AWS and Azure. We're currently automating the rotation of access and secret keys for IAM service users, but I'm wondering if there's a better solution available. Specifically, I'm interested in whether I could use Azure Arc and Microsoft Entra ID to configure an OIDC identity provider between AWS and Azure, which would eliminate the need for the long-lived secret keys. I've heard about AWS IAM Anywhere as well. Is there a standard pattern that I should follow for authentication, or am I overthinking this and should just stick with automating key rotation?
5 Answers
Consider checking out IAM Anywhere to ditch those long-lived keys. Many SaaS providers also support IAM Roles for account authentication instead of access keys. Standardizing your authentication is smart, but sometimes different environments might require slightly different setups to function optimally.
If you're using Octopus Deploy, remember that when you configure IAM Roles, it automatically calls the STS assume role behind the scenes. Also, note that your on-prem setup will need to have access to the public internet for OIDC to work.
Using OIDC with AWS STS is definitely a better approach than relying on access keys. It simplifies key management by removing the necessity of key rotation altogether.
Roles are your go-to option here. Utilizing AWS roles will address your concern about long-lived keys and make authentication smoother.
You're on the right path! Having a centralized identity provider is much better than managing credentials locally. It reduces the risk of credentials being mishandled or leaked across your environments.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures