如何在 IAM 角色的信任策略中检查自定义 OpenID 声明? [英] How to check for custom OpenID claim in an IAM role's trust policy?

查看:23
本文介绍了如何在 IAM 角色的信任策略中检查自定义 OpenID 声明?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用 auth0 对用户进行身份验证以接收包含以下声明的 id 令牌

I am authenticating users with auth0 to receive a id token containing the following claim

"http://myapp.com/scope": "write"

使用带有 OpenID 身份验证提供程序(即 auth0)的 Cognito 身份池,我能够成功获得访问 aws 服务的临时凭证.但是,我想根据上面的自定义声明限制对这些服务的访问.我认为正确的方法是编辑与我的身份池关联的信任策略,但我不确定如何添加条件来检查我的信任策略中的上述声明.

Using a Cognito identity pool with an OpenID authentication provider (namely, auth0), I am able to successfully get temporary credentials to access aws services. However, I want to restrict access to these services based on my custom claim above. I believe the proper way to do this is by editing the trust policy associated with my identity pool, but I am not sure how to add a condition to check for the above claim in my trust policy.

当前的默认信任策略是

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-2:078855cf-aa9b-400e-a762-dfcf27ec495c"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

如何确保只有具有 auth0 "write" 范围的用户有权写入我的 s3 服务?

How can I ensure that only users with the auth0 "write" scope have access to write to my s3 service?

更新:

我能够通过避免认知身份池将原始 id_token 传递给 aws.但是,auth0 强制我的自定义声明使用 "http://mywebsite.com" 命名空间.这是一个问题,因为 IAM 不允许在我的情况下使用多个冒号.我需要添加条件

I was able to pass the original id_token to aws by avoiding the cognito identity pool. However, auth0 forces my custom claims to be namespaced with "http://mywebsite.com". This is a problem because IAM does not allow multiple colons in my condition. I need to add the condition

"ForAnyValue:StringLike": {
    "food-flick.auth0.com/:https://foodflick.com/scope": "write:rests"
 }

但 IAM 不允许这样做,Auth0 强制我为我的声明命名.我能做什么?我可以将范围存储在标准声明中,但这会产生误导.我可以将我的访问令牌而不是我的 id_token 传递给 IAM 吗?如果是这样,当给定一组值时,我将如何更改信任策略以检查适当的 aud 值?

But IAM won't allow it and Auth0 forces me to namespace my claims. What can I do? I could store my scopes in a standard claim, but that would be misleading. Can I pass my access token instead of my id_token to IAM? If so, how would I change the trust policy to check for the appropriate aud value when given an array of values?

推荐答案

联合声明不会传播到 AWS 会话中,并且无法在信任策略中访问.前进的道路可能是使用 RoleMappings 来映射您的自定义声称拥有特定的角色.不幸的是,目前,我认为有一个突出的问题阻止角色映射与 OIDC 合作.如果问题得到解决,我会更新这篇文章.

Federated claims are not propagated into the AWS session and are not accessible in the trust policy. Likely the path forward is to use RoleMappings to map your custom claim to a particular role. Unfortunately at this time, I believe there is an outstanding issue preventing rolemapping from working with OIDC. I will update this post if the issue is resolved.

这篇关于如何在 IAM 角色的信任策略中检查自定义 OpenID 声明?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆