如何在IAM角色的信任策略中检查自定义OpenID声明？ [英] How to check for custom OpenID claim in an IAM role's trust policy?

问题描述

我正在使用auth0对用户进行身份验证，以接收包含以下声明的ID令牌

I am authenticating users with auth0 to receive a id token containing the following claim

"http://myapp.com/scope": "write"

将Cognito身份池与OpenID身份验证提供程序一起使用（即auth0 ），我能够成功获取临时凭证以访问AWS服务。但是，我想根据我上面的自定义声明限制对这些服务的访问。我相信这样做的正确方法是编辑与我的身份池关联的信任策略，但是我不确定如何在我的信任策略中添加条件以检查上述声明。

Using a Cognito identity pool with an OpenID authentication provider (namely, auth0), I am able to successfully get temporary credentials to access aws services. However, I want to restrict access to these services based on my custom claim above. I believe the proper way to do this is by editing the trust policy associated with my identity pool, but I am not sure how to add a condition to check for the above claim in my trust policy.

当前默认的信任策略为

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-2:078855cf-aa9b-400e-a762-dfcf27ec495c"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

如何确保只有auth0 write 范围的用户才可以写入m y s3服务？

How can I ensure that only users with the auth0 "write" scope have access to write to my s3 service?

更新：

我能够通过避免使用cognito将原始id_token传递给aws身份池。但是，auth0强制我的自定义声明使用 http://mywebsite.com 命名。这是一个问题，因为IAM不允许在我的情况下使用多个冒号。我需要添加条件

I was able to pass the original id_token to aws by avoiding the cognito identity pool. However, auth0 forces my custom claims to be namespaced with "http://mywebsite.com". This is a problem because IAM does not allow multiple colons in my condition. I need to add the condition

"ForAnyValue:StringLike": {
    "food-flick.auth0.com/:https://foodflick.com/scope": "write:rests"
 }

但是IAM不允许这样做，并且Auth0强制我为我的声明命名空间。我能做什么？我可以将范围存储在标准声明中，但这会产生误导。我可以将访问令牌而不是id_token传递给IAM吗？如果是这样，给定值数组时，如何更改信任策略以检查适当的aud值？

But IAM won't allow it and Auth0 forces me to namespace my claims. What can I do? I could store my scopes in a standard claim, but that would be misleading. Can I pass my access token instead of my id_token to IAM? If so, how would I change the trust policy to check for the appropriate aud value when given an array of values?

推荐答案

联合声明不会传播到AWS会话中，并且在信任策略中不可访问。前进的道路可能是使用 RoleMappings 来映射您的自定义扮演特定角色。不幸的是，这一次，我相信存在一个悬而未决的问题，阻止了角色映射与OIDC一起工作。如果问题解决，我将更新此帖子。

Federated claims are not propagated into the AWS session and are not accessible in the trust policy. Likely the path forward is to use RoleMappings to map your custom claim to a particular role. Unfortunately at this time, I believe there is an outstanding issue preventing rolemapping from working with OIDC. I will update this post if the issue is resolved.

这篇关于如何在IAM角色的信任策略中检查自定义OpenID声明？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！