Creating OpenID Connect (OIDC) identity providers - AWS Identity and Access Management

Creating OpenID Connect (OIDC) identity providers

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities. For more information about this scenario, see About web identity federation.

You can create and manage an IAM OIDC identity provider using the AWS Management Console, the AWS Command Line Interface, the Tools for Windows PowerShell, or the IAM API.

After you create an IAM OIDC identity provider, you must create one or more IAM roles. A role is an identity in AWS that doesn't have its own credentials (as a user does). But in this context, a role is dynamically assigned to a federated user that is authenticated by your organization's IdP. The role permits your organization's IdP to request temporary security credentials for access to AWS. The policies assigned to the role determine what the federated users are allowed to do in AWS. To create a role for a third-party identity provider, see Creating a role for a third-party Identity Provider (federation).

Important

When you configure identity-based policies for actions that support oidc-provider resources, IAM evaluates the full OIDC identity provider URL, including any specified paths. If your OIDC identity provider URL has a path, you must include that path in the oidc-provider ARN as a Resource element value. You also have the option to append a forward slash and wildcard (/*) to the URL domain or use wildcard characters (* and ?) at any point in the URL path. If the OIDC identity provider URL in the request doesn't match the value set in the policy's Resource element, the request fails.

Creating and managing an OIDC provider (console)

Follow these instructions to create and manage an IAM OIDC identity provider in the AWS Management Console.

Important

If you are using an OIDC identity provider from either Google, Facebook, or Amazon Cognito, do not create a separate IAM identity provider using this procedure. These OIDC identity providers are already built-in to AWS and are available for your use. Instead, follow the steps to create new roles for your identity provider, see Create a role for OpenID Connect federation (console).

To create an IAM OIDC identity provider (console)
  1. Before you create an IAM OIDC identity provider, you must register your application with the IdP to receive a client ID. The client ID (also known as audience) is a unique identifier for your app that is issued to you when you register your app with the IdP. For more information about obtaining a client ID, see the documentation for your IdP.

    Note

    AWS secures communication with some OIDC identity providers (IdPs) through our library of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify your IdP server certificate. In these cases, your legacy thumbprint remains in your configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub, GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. In the navigation pane, choose Identity providers, and then choose Add provider.

  4. For Configure provider, choose OpenID Connect.

  5. For Provider URL, type the URL of the IdP. The URL must comply with these restrictions:

    • The URL is case-sensitive.

    • The URL must begin with https://.

    • The URL should not contain a port number.

    • Within your AWS account, each IAM OIDC identity provider must use a unique URL.

  6. Choose Get thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the thumbprint for an OpenID Connect Identity Provider.

    Note

    The OIDC identity provider's certificate chain must start with the domain or issuer URL, then the intermediate certificate, and end with the root certificate. If the certificate chain order is different or includes duplicate or additional certificates, then you receive a signature mismatch error and STS fails to validate the JSON Web Token (JWT). Correct the order of the certificates in the chain returned from the server to resolve the error. For more information about certificate chain standards, see certificate_list in RFC 5246 on the RFC Series website.

  7. For Audience, type the client ID of the application that you registered with the IdP and received in Step 1, and that make requests to AWS. If you have additional client IDs (also known as audiences) for this IdP, you can add them later on the provider detail page.

  8. (Optional) For Add tags, you can add key–value pairs to help you identify and organize your IdPs. You can also use tags to control access to AWS resources. To learn more about tagging IAM OIDC identity providers, see Tagging OpenID Connect (OIDC) identity providers. Choose Add tag. Enter values for each tag key-value pair.

  9. Verify the information that you have provided. When you are done choose Add provider.

  10. Assign an IAM role to your identity provider to give external user identities managed by your identity provider permissions to access AWS resources in your account. To learn more about creating roles for identity federation, see Creating a role for a third-party Identity Provider (federation).

    Note

    OIDC IDPs used in a role trust policy must be in the same account that the role is in.

To add or remove a thumbprint for an IAM OIDC identity provider (console)
  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity providers. Then choose the name of the IAM identity provider that you want to update.

  3. In the Thumbprints section, choose Manage. To enter a new thumbprint value, choose Add thumbprint. To remove a thumbprint, choose Remove next to the thumbprint that you want to remove.

    Note

    An IAM OIDC identity provider must have at least one and can have a maximum of five thumbprints.

    When you are done, choose Save changes.

To add an audience for an IAM OIDC identity provider (console)
  1. In the navigation pane, choose Identity providers, then choose the name of the IAM identity provider that you want to update.

  2. In the Audiences section, choose Actions and select Add audience.

  3. Type the client ID of the application that you registered with the IdP and received in Step 1, and that will make requests to AWS. Then choose Add audiences.

    Note

    An IAM OIDC identity provider must have at least one and can have a maximum of 100 audiences.

To remove an audience for an IAM OIDC identity provider (console)
  1. In the navigation pane, choose Identity providers, then choose the name of the IAM identity provider that you want to update.

  2. In the Audiences section, select the radio button next to the audience that you want to remove, then select Actions.

  3. Choose Remove audience. A new window opens.

  4. If you remove an audience, identities federating with the audience cannot assume roles associated with the audience. In the window, read the warning and confirm that you want to remove the audience by typing the word remove in the field.

  5. Choose Remove to remove the audience.

To delete an IAM OIDC identity provider (console)
  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity providers.

  3. Select the check box next to the IAM identity provider that you want to delete. A new window opens.

  4. Confirm that you want to delete the provider by typing the word delete in the field. Then, choose Delete.

Creating and managing an IAM OIDC identity provider (AWS CLI)

You can use the following AWS CLI commands to create and manage IAM OIDC identity providers.

To create an IAM OIDC identity provider (AWS CLI)
  1. (Optional) To get a list of all the IAM OIDC identity providers in your AWS account, run the following command:

  2. To create a new IAM OIDC identity provider, run the following command:

To update the list of server certificate thumbprints for an existing IAM OIDC identity provider (AWS CLI)
To tag an existing IAM OIDC identity provider (AWS CLI)
To list tags for an existing IAM OIDC identity provider (AWS CLI)
To remove tags on an IAM OIDC identity provider (AWS CLI)
To add or remove a client ID from an existing IAM OIDC identity provider (AWS CLI)
  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, run the following command:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, run the following command:

  3. To add a new client ID to an existing IAM OIDC identity provider, run the following command:

  4. To remove a client from an existing IAM OIDC identity provider, run the following command:

To delete an IAM OIDC identity provider (AWS CLI)
  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, run the following command:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, run the following command:

  3. To delete an IAM OIDC identity provider, run the following command:

Creating and managing an OIDC Identity Provider (AWS API)

You can use the following IAM API commands to create and manage OIDC providers.

To create an IAM OIDC identity provider (AWS API)
  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. To create a new IAM OIDC identity provider, call the following operation:

To update the list of server certificate thumbprints for an existing IAM OIDC identity provider (AWS API)
To tag an existing IAM OIDC identity provider (AWS API)
To list tags for an existing IAM OIDC identity provider (AWS API)
To remove tags on an existing IAM OIDC identity provider (AWS API)
To add or remove a client ID from an existing IAM OIDC identity provider (AWS API)
  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, call the following operation:

  3. To add a new client ID to an existing IAM OIDC identity provider, call the following operation:

  4. To remove a client ID from an existing IAM OIDC identity provider, call the following operation:

To delete an IAM OIDC identity provider (AWS API)
  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, call the following operation:

  3. To delete an IAM OIDC identity provider, call the following operation: