 |
When constructing purposes that span a number of cloud suppliers or combine with exterior providers, builders face a persistent problem: managing credentials securely. Conventional approaches require storing long-term credentials like API keys and passwords, creating safety dangers and operational overhead.
At this time, we’re saying a brand new functionality known as AWS Identification and Entry Administration (IAM) outbound identification federation that prospects can use to securely federate their Amazon Internet Companies (AWS) identities to exterior providers with out storing long-term credentials. Now you can use short-lived JSON Internet Tokens (JWTs) to authenticate your AWS workloads with a variety of third-party suppliers, software-as-a-service (SaaS) platforms and self-hosted purposes.
This characteristic allows IAM principals—equivalent to IAM roles and customers—to acquire cryptographically signed JWTs that assert their AWS identification. Exterior providers, equivalent to third-party suppliers, SaaS platforms, and on-premises purposes, can confirm the token’s authenticity by validating its signature. Upon profitable verification, you possibly can securely entry the exterior service.
The way it works
With IAM outbound identification federation, you change your AWS IAM credentials for short-lived JWTs. This mitigates the safety dangers related to long-term credentials whereas enabling constant authentication patterns.
Let’s stroll by way of a state of affairs the place your software working on AWS must work together with an exterior service. To entry the exterior service’s APIs or sources, your software calls the AWS Safety Token Service (AWS STS) `GetWebIdentityToken` API to acquire a JWT.
The next diagram exhibits this move:
- Your software working on AWS requests a token from AWS STS by calling the
GetWebIdentityTokenAPI. The applying makes use of its current AWS credentials obtained from the underlying platform (equivalent to Amazon EC2 occasion profiles, AWS Lambda execution roles, or different AWS compute providers) to authenticate this API name. - AWS STS returns a cryptographically signed JSON Internet Token (JWT) that asserts the identification of your software.
- Your software sends the JWT to the exterior service for authentication.
- The exterior service fetches the verification keys from the JSON Internet Key Set (JWKS) endpoint to confirm the token’s authenticity.
- The exterior service validates the JWT’s signature utilizing these verification keys and confirms the token is genuine and was issued by AWS.
- After profitable verification, the exterior service exchanges the JWT for its personal credentials. Your software can then use these credentials to carry out its meant operations.
Organising AWS IAM outbound identification federation
To start utilizing this characteristic, I have to allow outbound identification federation for my AWS account. I navigate to IAM and select Account settings beneath Entry administration within the left-hand navigation pane.
After I allow the characteristic, AWS generates a singular issuer URL for my AWS account that hosts the OpenID Join (OIDC) discovery endpoints at /.well-known/openid-configuration and /.well-known/jwks.json. The OpenID Join (OIDC) discovery endpoints comprise the keys and metadata obligatory for token verification.
Subsequent, I have to configure IAM permissions. My IAM principal (function or consumer) should have the sts:GetWebIdentityToken permission to request tokens.
For instance, the next identification coverage specifies entry to the STS GetWebIdentityToken API, enabling the IAM principal to generate tokens.
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Action": "sts:GetWebIdentityToken",
"Resource": "*",
}
]
}
At this stage, I have to configure the exterior service to belief and settle for tokens issued by my AWS account. The precise steps differ by service, however usually contain:
- Registering my AWS account issuer URL as a trusted identification supplier
- Configuring which claims to validate (viewers, topic patterns)
- Mapping token claims to permissions within the exterior service
Let’s get began
Now, let me stroll you thru an instance displaying each the client-side token era and server-side verification course of.
First, I name the STS GetWebIdentityToken API to acquire a JWT that asserts my AWS identification. When calling the API, I can specify the meant viewers, signing algorithm, and token lifetime as request parameters.
Viewers: Populates the `aud` declare within the JWT, figuring out the meant recipient of the token (for instance, “my-app”)DurationSeconds: The token lifetime in seconds, starting from 60 seconds (1 minute) to 3600 seconds (1 hour), with a default of 300 seconds (5 minutes)SigningAlgorithm: Select both ES384 (ECDSA utilizing P-384 and SHA-384) or RS256 (RSA utilizing SHA-256)Tags(non-compulsory): An array of key-value pairs that seem as customized claims within the token, which you should use to incorporate further context that permits exterior providers to implement fine-grained entry management
Right here’s an instance of getting an identification token utilizing the AWS SDK for Python (Boto3). I can even do that utilizing AWS Command Line Interface (AWS CLI).
import boto3
sts_client = boto3.shopper('sts')
response = sts_client.get_web_identity_token(
Viewers=['my-app'],
SigningAlgorithm='ES384', # or 'RS256'
DurationSeconds=300
)
jwt_token = response['WebIdentityToken']
print(jwt_token)
This returns a signed JWT that I can examine utilizing any JWT parser.
{
eyJraWQiOiJFQzM4NF8wIiwidHlwIjoiSldUIiwiYWxnIjoiRVMzODQifQ.hey<REDACTED FOR BREVITY>...
I can decode the token utilizing any JWT parser like this JWT Debugger. The token header exhibits it’s signed with ES384 (ECDSA).
{
"child": "EC384_0",
"typ": "JWT",
"alg": "ES384"
}
Additionally, the payload accommodates customary OIDC claims plus AWS particular metadata. The usual OIDC claims embrace topic (“sub”), viewers (“aud”), issuer (“iss”), and others.
{
"aud": "my-app",
"sub": "arn:aws:iam::ACCOUNT_ID:function/MyAppRole",
"https://sts.amazonaws.com/": {
"aws_account": "ACCOUNT_ID",
"source_region": "us-east-1",
"principal_id": "arn:aws:iam::ACCOUNT_ID:function/MyAppRole"
},
"iss": "https://abc12345-def4-5678-90ab-cdef12345678.tokens.sts.world.api.aws",
"exp": 1759786941,
"iat": 1759786041,
"jti": "5488e298-0a47-4c5b-80d7-6b4ab8a4cede"
}
AWS STS additionally enriches the token with identity-specific claims (equivalent to account ID, group ID, and principal tags) and session context. These claims present details about the compute setting and session the place the token request originated. AWS STS routinely contains these claims when relevant primarily based on the requesting principal’s session context. You can even add customized claims to the token by passing request tags to the API name. To be taught extra about claims supplied within the JWT, go to the documentation web page.
Observe the iss (issuer) declare. That is your account-specific issuer URL that exterior providers use to confirm that the token originated from a trusted AWS account. Exterior providers can confirm the JWT by validating its signature utilizing AWS’s verification keys out there at a public JSON Internet Key Set (JWKS) endpoint hosted on the /.well-known/jwks.json endpoint of the issuer URL.
Now, let’s have a look at how exterior providers deal with this identification token.
Right here’s a snippet of Python instance that exterior providers can use to confirm AWS tokens:
import json
import jwt
import requests
from jwt import PyJWKClient
# Trusted issuers record - obtained from EnableOutboundFederation API response
TRUSTED_ISSUERS = [
"https://EXAMPLE.tokens.sts.global.api.aws",
# Add your trusted AWS account issuer URLs here
# Obtained from EnableOutboundFederation API response
]
def verify_aws_jwt(token, expected_audience=None):
"""Confirm an AWS IAM outbound identification federation JWT"""
attempt:
# Get issuer from token
unverified_payload = jwt.decode(token, choices={"verify_signature": False})
issuer = unverified_payload.get('iss')
# Confirm issuer is trusted
if not TRUSTED_ISSUERS or issuer not in TRUSTED_ISSUERS:
elevate ValueError(f"Untrusted issuer: {issuer}")
# Fetch JWKS from AWS utilizing PyJWKClient
jwks_client = PyJWKClient(f"{issuer}/.well-known/jwks.json")
signing_key = jwks_client.get_signing_key_from_jwt(token)
# Confirm token signature and claims
decoded_token = jwt.decode(
token,
signing_key.key,
algorithms=["ES384", "RS256"],
viewers=expected_audience,
issuer=issuer
)
return decoded_token
besides Exception as e:
print(f"Token verification failed: {e}")
return None
Utilizing IAM insurance policies to manage entry to token era
An IAM principal (equivalent to a task or consumer) should have the sts:GetWebIdentityToken permission of their IAM insurance policies to request tokens for authentication with exterior providers. AWS account directors can configure this permission in all related AWS coverage sorts equivalent to identification insurance policies, service management insurance policies (SCPs), useful resource management insurance policies (RCPs), and digital personal cloud endpoint (VPCE) insurance policies to manage which IAM principals of their account can generate tokens.
Moreover, directors can use the brand new situation keys to specify signing algorithms (sts:SigningAlgorithm), permitted token audiences (sts:IdentityTokenAudience), and most token lifetimes (sts:DurationSeconds). To be taught extra in regards to the situation keys, go to IAM and STS Situation keys documentation web page.
Extra issues to know
Listed here are key particulars about this launch:
Get began with AWS IAM outbound identification federation by visiting AWS IAM console and enabling the characteristic in your AWS account. To be taught extra on find out how to programmatically allow this characteristic, discuss with this Getting Began web page. For extra info, go to Federating AWS Identities to Exterior Companies documentation web page.
Blissful constructing!
— Donnie
Editors observe: 11/22/25- Getting Began documentation added