AWS Identity and Access Management
User Guide

Creating OpenID Connect (OIDC) Identity Providers

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities. For more information about this scenario, see About Web Identity Federation.

You can create and manage an IAM OIDC identity provider using the AWS Management Console, the AWS Command Line Interface, the Tools for Windows PowerShell, or the IAM API.

Creating and Managing an OIDC Provider (Console)

Follow these instructions to create and manage an IAM OIDC identity provider in the AWS Management Console.

To create an IAM OIDC identity provider (console)

  1. Before you create an IAM OIDC identity provider, you must register your application with the IdP to receive a client ID. The client ID (also known as audience) is a unique identifier for your app that is issued to you when you register your app with the IdP. For more information about obtaining a client ID, see the documentation for your IdP.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. In the navigation pane, choose Identity Providers, and then choose Create Provider.

  4. For Provider Type, choose Choose a provider type, and then choose OpenID Connect.

  5. For Provider URL, type the URL of the IdP. The URL must comply with these restrictions:

    • The URL is case-sensitive.

    • The URL must begin with https://.

    • The URL cannot include a colon (:) character, and therefore cannot specify a port number. This means that the server must be listening on the default port 443.

    • Within your AWS account, each IAM OIDC identity provider must use a unique URL.

  6. For Audience, type the client ID of the application that you registered with the IdP and received in Step 1, and that will make requests to AWS. If you have additional client IDs (also known as audiences) for this IdP, you can add them later on the provider detail page. Choose Next Step.

  7. Use the Thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the Thumbprint for an OpenID Connect Identity Provider. Choose Create.

  8. In the confirmation message at the top of the screen, choose Do this now to go to the Roles tab to create a role for this identity provider. For more information about creating a role for an OIDC identity provider, see Creating a Role for a Third-Party Identity Provider (Federation). OIDC identity providers must have a role in order to access your AWS account. To skip this step and create the role later, choose Close.

To add or remove a thumbprint or client ID (also known as audience) for an IAM OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity Providers, then choose the name of the IAM identity provider that you want to update.

  3. To add a thumbprint or audience, choose Add a Thumbprint or Add an Audience. To remove a thumbprint or audience, choose Remove next to the item that you want to remove.

    Note

    An IAM OIDC identity provider must have at least one and can have a maximum of five thumbprints. An OIDC identity provider must have at least one and can have a maximum of 100 audiences.

    When you are done, choose Save Changes.

To delete an IAM OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity Providers.

  3. Select the check box next to the IAM identity provider that you want to delete.

  4. Choose Delete Providers.

Creating and Managing an IAM OIDC Identity Provider (AWS CLI)

You can use the following AWS CLI commands to create and manage IAM OIDC identity providers.

To create an IAM OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the IAM OIDC identity providers in your AWS account, run the following command:

  2. To create a new IAM OIDC identity provider, run the following command:

To update the list of server certificate thumbprints for an existing IAM OIDC identity provider (AWS CLI)

To add or remove a client ID from an existing IAM OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, run the following command:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, run the following command:

  3. To add a new client ID to an existing IAM OIDC identity provider, run the following command:

  4. To remove a client from an existing IAM OIDC identity provider, run the following command:

To delete an IAM OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, run the following command:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, run the following command:

  3. To delete an IAM OIDC identity provider, run the following command:

Creating and Managing an OIDC Identity Provider (AWS API)

You can use the following IAM API commands to create and manage OIDC providers.

To create an IAM OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. To create a new IAM OIDC identity provider, call the following operation:

To update the list of server certificate thumbprints for an existing IAM OIDC identity provider (AWS API)

To add or remove a client ID from an existing IAM OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, call the following operation:

  3. To add a new client ID to an existing IAM OIDC identity provider, call the following operation:

  4. To remove a client ID from an existing IAM OIDC identity provider, call the following operation:

To delete an IAM OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, call the following operation:

  3. To delete an IAM OIDC identity provider, call the following operation: