Assume roles in AWS using an OpenID Connect identity provider.
It is intended to be used as a credentials_process in ~/.aws/config that outputs temporary AWS credentials in a JSON format.
Add the following to ~/.aws/config:
[profile default]
region = us-east-1
credential_process = /Users/jeremy/projects/aws-oidc/aws-oidc auth google
And configure aws-oidc by creating ~/.aws-oidc/config and setting the role_arn and client_id:
region = "us-east-1"
[[AuthProvider]]
name = "google"
role_arn = "arn:aws:iam::0123456789012:role/your-role-name"
duration = 900
provider_url = "https://accounts.google.com"
client_id = "YOUR_CLIENT_ID"
client_secret = "YOUR_CLIENT_SECRET" # only specify this if your OIDC provider requires it even when using PKCE
agent = ["open", "-b", "com.google.chrome"]
Then you can assume the role using the AWS cli:
aws sts get-caller-identity
Most AWS SDK implementations should be able to use the credential_process configuration, including:
- aws-sdk-go
- aws-cli
- boto3
Use the login command to exchange the temporary credentials with an AWS Console login URL
aws-oidc login
Open chrome://version/ in the Chrome profile you want to authenticate in, and make a note of the last part of the profile path.
Update the agent option with the path in your ~/.aws-oidc/config file:
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Profile 1", "{}"]
Add the profiles for each role you want to assume to ~/.aws/config. Specify the provider name from the configuration file, and override any default settings:
[profile engineer]
credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::0123456789012:role/your-role-name --duration 7200
Make sure each authentication provider exists in ~/.aws-oidc/config. You can also override any of the configured settings here on the command line.
To make use of this new role, simply specify the profile in your AWS SDK:
aws --profile engineer sts get-caller-identity
Most AWS SDK's should be able to pick up the profile parameter, and support the credentials_process setting in your ~/.aws/config file. If not, you can run an arbitary command with the temporary credentials with exec:
aws-oidc exec engineer -- ./path/to/command with arguments
This will use the profiles defined in ~/.aws/config to assume the role by calling aws-oidc auth and then set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables for the new process.
Use the list command to find roles that your claim and client_id can assume:
aws-oidc list --claim="accounts.google.com:aud" --client_id="CLIENT_ID"
Example using only the AWS CLI:
aws iam list-roles --query <<EOF '
Roles[?
AssumeRolePolicyDocument.Statement[?
Condition.StringEquals."accounts.google.com:aud"
]
].{
RoleName:RoleName,
Arn:Arn,
ClientId:AssumeRolePolicyDocument.Statement[*].Condition.StringEquals."accounts.google.com:aud" | [0]
} | [?
contains(ClientId, `CLIENT_ID`)
]'
EOF
Note, your default profile will need iam:ListRoles permission. To use a different profile use the --profile option.