OIDC with AWS

See the general OIDC documentation before diving into the AWS-specific setup.

AWS Specific Setup

When configuring the token in the RWX Vault UI, it's customary to name the token aws and set the audience to sts.amazonaws.com.

After setting the name and audience in the UI, you'll see copyable audience and subject values that you can copy to your OIDC role configuration in AWS.

You can then reference the token in RWX run definitions like this:

${{ vaults.your-vault.oidc.aws }}

Once AWS is configured to accept the token, use the aws/assume-role package to configure role assumption. Tasks that need to assume this role must use the assume-role task and supply an oidc token as an environment variable. For example:

- key: aws-cli
  call: aws/install-cli 1.0.8

- key: assume-role
  call: aws/assume-role 2.0.7
  with:
    region: us-east-2
    role-to-assume: arn:aws:iam::your-account-id:role/your-role

- key: task-that-needs-role
  use: [aws-cli, assume-role]
  run: ...
  env:
    AWS_OIDC_TOKEN:
      value: ${{ vaults.your-vault.oidc.your-token }}
      cache-key: excluded

See the documentation for the aws/assume-role package for more information.

OIDC Provider

See the AWS documentation on Creating OpenID Connect (OIDC) identity providers.

Set the provider URL to https://cloud.rwx.com/mint

Set the audience to the value that you configured in the RWX Vault UI, which is customarily sts.amazonaws.com

OIDC Role

Follow the AWS documentation on creating a role for OpenID Connect Federation.

You'll want to add a condition based on the aud and sub claims of the OIDC token.

You can find the vault that you should set for sub in the Vaults UI for the token that you configured.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:oidc-provider/cloud.rwx.com/mint"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cloud.rwx.com/mint:aud": "sts.amazonaws.com",
          "cloud.rwx.com/mint:sub": "mint:your-org-uuid:your-vault-name"
        }
      }
    }
  ]
}

Terraform

If you use Terraform, you can use this template to configure OIDC with AWS:

# Mint OIDC Provider

locals {
  cloud_rwx_com = "https://cloud.rwx.com"
}

data "tls_certificate" "cloud_rwx_com" {
  url = local.cloud_rwx_com
}

resource "aws_iam_openid_connect_provider" "rwx" {
  url             = "${local.cloud_rwx_com}/mint"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.cloud_rwx_com.certificates[0].sha1_fingerprint]
}

# Deployment Role

resource "aws_iam_role" "name_of_your_role" {
  name = "<name-of-your-role>"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRoleWithWebIdentity"
        Effect = "Allow"
        Principal = {
          Federated = aws_iam_openid_connect_provider.rwx.arn
        }
        Condition = {
          StringEquals = {
            "cloud.rwx.com/mint:aud" = "sts.amazonaws.com",
            "cloud.rwx.com/mint:sub" = "<your-vault-sub-here>"
          }
        }
      }
    ]
  })
}

data "aws_iam_policy_document" "name_of_your_role" {
  # your statements here
}

resource "aws_iam_role_policy" "name_of_your_role" {
  name   = "<name-of-your-role-policy>"
  role   = aws_iam_role.name_of_your_role.id
  policy = data.aws_iam_policy_document.name_of_your_role.json
}