Hey everyone, I'm looking for the simplest method to obtain an OpenID Connect (OIDC) ID token that matches with AWS Session credentials. As far as I know, the STS itself doesn't provide an endpoint to retrieve an ID token where the role name is part of the subject ('sub') field. I need this for setting up a trust relationship in an external system that will utilize the 'sub' in the ID token. Thanks in advance!
2 Answers
If your external system is set up for federation and can handle OIDC credentials, then you'll want to look into using the IAM Identity Center. For instance, there are some great docs that explain how to use GitHub's OIDC for identity federation with AWS resources. Check this out for more details: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
You should definitely check out AWS Cognito! It can help you manage user pools and allow you to get ID tokens easily. Here's a link to the docs: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
That sounds great! But how do I actually exchange my IAM role session credentials for a Cognito ID token? Do I need to configure something for each role ARN in Cognito?
Actually, that's not quite the case for me. I can set up a trust relationship to any OIDC provider in the external system. In my scenario, I'm aiming to get an ID token from an AWS service that encodes the role ARN as the subject, similar to what GitHub provides.