使用 Firebase OpenID Connect 提供商作为 AWS IAM 身份提供商 [英] Using Firebase OpenID Connect provider as AWS IAM Identity Provider

问题描述

我在使用 OpenID Connect 将 Firebase 设置为 AWS IAM 身份提供商时收到以下错误.

I get the following error while setting up Firebase as an AWS IAM Identity Provider using OpenID Connect.

我们在处理您的请求时遇到以下错误:请检查提供者的 .well-known/openid-configuration:https://securetoken.google.com/> 有效.

We encountered the following errors while processing your request: Please check .well-known/openid-configuration of provider: https://securetoken.google.com/<Project ID> is valid.

AWS IAM 身份提供商设置需要两个输入参数，我在其中插入了以下内容:
提供商网址:https://securetoken.google.com/<Firebase 项目 ID>
受众:>

The AWS IAM Identity Provider setup requires two input parameters, to which I plugged in the following:
Provider URL: https://securetoken.google.com/<Firebase Project ID>
Audience: <Firebase Client ID>

为了解决错误，我在浏览器中打开了 http://<Provider URL>/.well-known/openid-configuration 并注意到 JSON 响应具有 Issuer 和 jwks_uri 字段.我相信这些 JSON 字段表明 Firebase OpenID Connect Provider URL 是有效的.

To troubleshoot the error, I opened http://<Provider URL>/.well-known/openid-configuration in a browser and noted the JSON response has the Issuer and jwks_uri fields. I believe these JSON fields indicate the Firebase OpenID Connect Provider URL is valid.

知道如何避免上述错误并成功设置 AWS IAM 身份提供商吗?

Any idea how I could avoid the above error and successfully set up the AWS IAM Identity Provider?

推荐答案

我联系了 AWS 支持，他们帮助解决了问题.感谢肖恩 H@AWS！

I contacted AWS support and they helped resolve the problem. Thanks to Shaun H @ AWS!

问题的解决方案是使用 AWS CLI 而不是 AWS 控制台来设置 OIDC 提供商.

我将肖恩回复的相关部分粘贴在下面:1.) 使用此处描述的过程手动获取并验证指纹 [1].
"ThumbprintList" = "6040DB92306CC8BCEB31CACAC88D107430B16AFF"

I'm pasting relevant parts of Shaun's response below: 1.) Manually obtain and verify the thumbprint using the procedure described here[1].
"ThumbprintList" = "6040DB92306CC8BCEB31CACAC88D107430B16AFF"

2.) 使用 AWS Cli [2] 创建 OIDC 身份提供商.例如: $ aws iam create-open-id-connect-provider --cli-input-json file://oidc.json 注意 - 格式为:
aud Audience 必须是您的 Firebase 项目 ID，即您的 Firebase 项目的唯一标识符，可以在该项目的控制台的 URL 中找到.iss Issuer 必须是 https://securetoken.google.com/<projectId>，其中是用于上述 aud 的相同项目 ID.

2.) Create the OIDC identity provider using the AWS Cli [2]. For example: $ aws iam create-open-id-connect-provider --cli-input-json file://oidc.json Note - the format would be:
aud Audience Must be your Firebase project ID, the unique identifier for your Firebase project, which can be found in the URL of that project's console. iss Issuer Must be https://securetoken.google.com/<projectId>, where is the same project ID used for aud above.

file://oidc.json 的内容:(替换为您的项目 ID)

Content for file://oidc.json: (replace with your Project ID)

{
    "Url": "https://securetoken.google.com/<Firebase Client ID>", 
    "ClientIDList": [ "<Firebase Client ID>" ], 
    "ThumbprintList": [ "6040DB92306CC8BCEB31CACAC88D107430B16AFF" ]
}

[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

[2] http://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html

这篇关于使用 Firebase OpenID Connect 提供商作为 AWS IAM 身份提供商的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！