Creating OpenID Connect (OIDC) identity providers - AWS Identity and Access Management

Creating OpenID Connect (OIDC) identity providers

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities. For more information about this scenario, see About web identity federation.

You can create and manage an IAM OIDC identity provider using the AWS Management Console, the AWS Command Line Interface, the Tools for Windows PowerShell, or the IAM API.

After you create an IAM OIDC identity provider, you must create one or more IAM roles. A role is an identity in AWS that doesn't have its own credentials (as a user does). But in this context, a role is dynamically assigned to a federated user that is authenticated by your organization's IdP. The role permits your organization's IdP to request temporary security credentials for access to AWS. The policies assigned to the role determine what the federated users are allowed to do in AWS. To create a role for a third-party identity provicer, see Creating a role for a third-party Identity Provider (federation).

Creating and managing an OIDC provider (console)

Follow these instructions to create and manage an IAM OIDC identity provider in the AWS Management Console.

New console

To create an IAM OIDC identity provider (console)

  1. Before you create an IAM OIDC identity provider, you must register your application with the IdP to receive a client ID. The client ID (also known as audience) is a unique identifier for your app that is issued to you when you register your app with the IdP. For more information about obtaining a client ID, see the documentation for your IdP.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. In the navigation pane, choose Identity providers, and then choose Add provider.

  4. For Configure provider, choose OpenID Connect.

  5. For Provider URL, type the URL of the IdP. The URL must comply with these restrictions:

    • The URL is case-sensitive.

    • The URL must begin with https://.

    • Within your AWS account, each IAM OIDC identity provider must use a unique URL.

  6. Choose Get thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the root CA thumbprint for an OpenID Connect Identity Provider.

  7. For Audience, type the client ID of the application that you registered with the IdP and received in Step 1, and that will make requests to AWS. If you have additional client IDs (also known as audiences) for this IdP, you can add them later on the provider detail page.

  8. Verify the information that you have provided. When you are done choose Add provider.

  9. Assign an IAM role to your identity provider to give external user identities managed by your identity provider permissions to access AWS resources in your account. To learn more about creating roles for identity federation, see Creating a role for a third-party Identity Provider (federation).

To add or remove a thumbprint for an IAM OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity providers. Then choose the name of the IAM identity provider that you want to update.

  3. In the Thumbprints section, choose Manage. To enter a new thumbprint value, choose Add thumbprint. To remove a thumbprint, choose Remove next to the thumbprint that you want to remove.

    Note

    An IAM OIDC identity provider must have at least one and can have a maximum of five thumbprints.

    When you are done, choose Save changes.

To add an audience for an IAM OIDC identity provider (console)

  1. In the navigation pane, choose Identity providers, then choose the name of the IAM identity provider that you want to update.

  2. In the Audiences section, choose Actions and select Add audience.

  3. Type the client ID of the application that you registered with the IdP and received in Step 1, and that will make requests to AWS. Then choose Add audiences.

    Note

    An IAM OIDC identity provider must have at least one and can have a maximum of 100 audiences.

To remove an audience for an IAM OIDC identity provider (console)

  1. In the navigation pane, choose Identity providers, then choose the name of the IAM identity provider that you want to update.

  2. In the Audiences section, select the radio button next to the audience that you want to remove, then select Actions.

  3. Choose Remove audience. A new window opens.

  4. If you remove an audience, identities federating with the audience cannot assume roles associated with the audience. In the window, read the warning and confirm that you want to remove the audience by typing the word remove in the field.

  5. Choose Remove to remove the audience.

To delete an IAM OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity providers.

  3. Select the check box next to the IAM identity provider that you want to delete. A new window opens.

  4. Confirm that you want to delete the provider by typing the word delete in the field. Then, choose Delete.

Old console

To create an IAM OIDC identity provider (console)

  1. Before you create an IAM OIDC identity provider, you must register your application with the IdP to receive a client ID. The client ID (also known as audience) is a unique identifier for your app that is issued to you when you register your app with the IdP. For more information about obtaining a client ID, see the documentation for your IdP.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. In the navigation pane, choose Identity Providers, and then choose Create Provider.

  4. For Provider Type, choose Choose a provider type, and then choose OpenID Connect.

  5. For Provider URL, type the URL of the IdP. The URL must comply with these restrictions:

    • The URL is case-sensitive.

    • The URL must begin with https://.

    • Within your AWS account, each IAM OIDC identity provider must use a unique URL.

  6. For Audience, type the client ID of the application that you registered with the IdP and received in Step 1, and that will make requests to AWS. If you have additional client IDs (also known as audiences) for this IdP, you can add them later on the provider detail page. Choose Next Step.

  7. Use the Thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the root CA thumbprint for an OpenID Connect Identity Provider. Choose Create.

  8. In the confirmation message at the top of the screen, choose Do this now to go to the Roles tab to create a role for this identity provider. For more information about creating a role for an OIDC identity provider, see Creating a role for a third-party Identity Provider (federation). OIDC identity providers must have a role in order to access your AWS account. To skip this step and create the role later, choose Close.

To add or remove a thumbprint or client ID (also known as audience) for an IAM OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity Providers, then choose the name of the IAM identity provider that you want to update.

  3. To add a thumbprint or audience, choose Add a Thumbprint or Add an Audience. To remove a thumbprint or audience, choose Remove next to the item that you want to remove.

    Note

    An IAM OIDC identity provider must have at least one and can have a maximum of five thumbprints. An OIDC identity provider must have at least one and can have a maximum of 100 audiences.

    When you are done, choose Save Changes.

To delete an IAM OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Identity Providers.

  3. Select the check box next to the IAM identity provider that you want to delete.

  4. Choose Delete Providers.

Creating and managing an IAM OIDC identity provider (AWS CLI)

You can use the following AWS CLI commands to create and manage IAM OIDC identity providers.

To create an IAM OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the IAM OIDC identity providers in your AWS account, run the following command:

  2. To create a new IAM OIDC identity provider, run the following command:

To update the list of server certificate thumbprints for an existing IAM OIDC identity provider (AWS CLI)

To add or remove a client ID from an existing IAM OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, run the following command:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, run the following command:

  3. To add a new client ID to an existing IAM OIDC identity provider, run the following command:

  4. To remove a client from an existing IAM OIDC identity provider, run the following command:

To delete an IAM OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, run the following command:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, run the following command:

  3. To delete an IAM OIDC identity provider, run the following command:

Creating and managing an OIDC Identity Provider (AWS API)

You can use the following IAM API commands to create and manage OIDC providers.

To create an IAM OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. To create a new IAM OIDC identity provider, call the following operation:

To update the list of server certificate thumbprints for an existing IAM OIDC identity provider (AWS API)

To add or remove a client ID from an existing IAM OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, call the following operation:

  3. To add a new client ID to an existing IAM OIDC identity provider, call the following operation:

  4. To remove a client ID from an existing IAM OIDC identity provider, call the following operation:

To delete an IAM OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the IAM OIDC identity provider in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an IAM OIDC identity provider, call the following operation:

  3. To delete an IAM OIDC identity provider, call the following operation: