Trusted identity propagation overview
With trusted identity propagation, user access to AWS resources can be more
easily defined, granted, and logged. Trusted identity propagation is built on the
OAuth 2.0
Authorization Framework
To avoid sharing user passwords, trusted identity propagation uses tokens. Tokens provide a standard way for a trusted application to claim who the user is and what requests are permitted between two applications. AWS managed applications that integrate with trusted identity propagation obtain tokens from IAM Identity Center directly. IAM Identity Center also provides an option for applications to exchange identity tokens and access tokens that come from an external OAuth 2.0 authorization server. This makes it possible for an application to authenticate and obtain tokens outside of AWS, exchange the token for an IAM Identity Center token, and use the new token to make requests to AWS services. For more information, see Using applications with a trusted token issuer.
The OAuth 2.0 process starts when a user signs in to an application. The application that the user signs in to initiates a request to access the resources of an AWS service. The initiating (requesting) application can access the receiving service on behalf of the user by requesting a token from the authorization server. The authorization server returns the token, and the initiating application passes that token, with a request for access, to the receiving service. The following are variations of this flow applicable to different types of initiating applications and receiving services:
-
AWS managed applications can authenticate using IAM Identity Center, receive a token, and pass it to AWS services that use it to make authorization decisions. For more information, see Trusted identity propagation request flows for AWS managed applications.
-
Customer managed applications can use an external OIDC authorization server to obtain an access token or an identity token. They exchange the token for an IAM Identity Center token and pass it to AWS services that use it to make authorization decisions. For more information, see Using applications with a trusted token issuer.
-
AWS managed applications and customer managed applications that possess an IAM Identity Center token can call AWS Security Token Service and add the user identity context to an IAM role that the application uses to call a SigV4 service. For more information, see Identity-enhanced IAM role sessions.
After an application obtains a token
After a requesting application obtains a token from IAM Identity Center, the application periodically refreshes the token, which can be used for the life of the user’s session. During this time, the receiving service might:
-
Obtain more information about the token to determine who the user is and which scopes the service can use with other receiving AWS services.
-
Pass the token in calls to other receiving AWS services that support the use of tokens.
-
Obtain identity-enhanced IAM role sessions that it can use to make requests to other AWS services that use AWS Signature Version 4.
Topics
Trusted identity propagation request flows for AWS managed applications
The following sections describe the ways in which an AWS managed application can obtain a token from IAM Identity Center to initiate trusted identity propagation.
Web-based, IAM Identity Center authentication
For this flow, the AWS managed application provides a web-based single sign-on experience using IAM Identity Center for authentication.
When a user opens an AWS managed application, a single sign-on flow that uses IAM Identity Center is triggered. If there isn't an active session for the user in IAM Identity Center, the user is presented with a sign-in page based on the identity source that you have specified, and IAM Identity Center creates a session for the user.
IAM Identity Center provides the AWS managed application with a token that includes the user’s identity and a list of audiences (Auds) and related scopes that the application is registered to use. The application can then use the token to make requests to other receiving AWS services.
Console-based, user-initiated authentication requests
For this flow, the AWS managed application provides a console experience that users initiate.
In this case, the AWS managed application is entered from the AWS Management Console after assuming a role. For the application to obtain a token, the user must initiate a process to trigger the application to authenticate the user. This initiates authentication using IAM Identity Center, which will redirect the user to the identity source that you have configured.
Identity-enhanced IAM role sessions
The AWS Security Token Service (STS) enables an AWS managed application or a customer managed application to obtain an identity-enhanced IAM role session. These identity-enhanced role sessions have an added identity context that propagates user identity to the AWS services that are called from the role session. This enables an application to use identity-enhanced role sessions when making requests to an AWS service, and the AWS service can authorize access to resources based on the user that is represented in the role session.
An application obtains an identity-enhanced role session by making a request
to the AWS STS AssumeRole API
action and passing a context assertion in the ProvidedContexts
parameter of the AssumeRole
request. The context assertion is
obtained from the idToken
claim that is available in the response
from the SSO OIDC CreateTokenWithIAM
request. This context adds the
userId
of the IAM Identity Center user to the identity-enhanced role session
context.
When an AWS managed application uses an identity-enhanced role session to
access a resource, CloudTrail logs the user’s identity (userId
), the
initiating session, and the action taken. For more information, see Identity-enhanced IAM role session logging.
Types of identity-enhanced IAM role sessions
AWS STS can create two different types of identity-enhanced IAM role sessions,
depending on the context assertion provided to the AssumeRole
request. AWS managed applications and customer managed applications that have
obtained Id tokens from IAM Identity Center can add sts:identiy_context
or
sts:audit_context
to IAM role sessions. An identity-enhanced
role session can have only one of these context assertions, not both. These
identity-enhanced role sessions can be used when calling any AWS
service.
Identity-enhanced IAM
role sessions created with sts:audit_context
AWS managed applications and customer managed applications may specify
sts:audit_context
in identity-enhanced role sessions. When
this is used, AWS services disregard the context in making authorization
decisions. Calling applications may receive an error if the service doesn't
have any role-based authorizations for the specified resources. Due to
recent changes in how sts:identity_context
is used in AWS
managed services, AWS recommends using sts:identity_context
rather than sts:audit_context
.
To obtain this type of identity-enhanced role session from AWS STS, AWS
managed applications and customer managed applications provide the value of
the sts:audit_context
field in the AssumeRole
request using the ProvidedContexts
request parameter. Use
arn:aws:iam::aws:contextProvider/IdentityCenter
as the
value for ProviderArn
.
Identity-enhanced IAM
role sessions created with sts:identity_context
When an identity-enhanced role session contains
sts:identity_context
the called AWS service determines if
resource authorization is based on the user who is represented in the role
session, or if it's based on the role.
AWS services that support user-based authorization provide the application's administrator with controls to assign access to the user or to groups for which the user is a member.
AWS services that do not support user-based authorization disregard the
sts:identity_context
. CloudTrail logs the userId
of
the IAM Identity Center user with all actions taken by the role. For more information, see
the Identity-enhanced IAM role session logging section below.
To obtain this type of identity-enhanced role session from AWS STS, AWS
managed applications and customer managed applications provide the value of
the sts:identity_context
field in the AssumeRole request using the ProvidedContexts
request parameter. Use
arn:aws:iam::aws:contextProvider/IdentityCenter
as the
value for ProviderArn
.
In some cases, if an AWS managed application or customer managed
application makes requests using sts:identity_context
it may
receive an error if the called AWS service supports
sts:identity_context
and is not connected to IAM Identity Center, or if
the requested resource is not configured for user or group-membership based
authorization.
To avoid this issue, do the following:
-
Verify that the receiving AWS service is connected to IAM Identity Center.
-
Use the console for the receiving AWS service or its APIs to configure authorization to its resources based on the user's identity or group memberships. The setup requirements for this vary based on the AWS service.
For more information on how the authorization behaves for AWS services
that support sts:identity_context
, see the documentation for
the receiving AWS service.
Identity-enhanced IAM role session logging
When a request is made to an AWS service using an identity-enhanced IAM
role session that is created with sts:audit_context
or the
sts:identity_context
, the user's IAM Identity Center userId
is
logged to CloudTrail in the OnBehalfOf
element. The way in which events
are logged in CloudTrail varies based on the AWS service. Not all AWS services log
the onBehalfOf
element.
The following is an example of how a request made to an AWS service using an identity-enhanced role session is logged in CloudTrail.
"userIdentity": { "type": "AssumedRole", "principalId": "AROAEXAMPLE:MyRole", "arn": "arn:aws:sts::111111111111:assumed-role/MyRole/MySession", "accountId": "111111111111", "accessKeyId": "ASIAEXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAEXAMPLE", "arn": "arn:aws:iam::111111111111:role/MyRole", "accountId": "111111111111", "userName": "MyRole" }, "attributes": { "creationDate": "2023-12-12T13:55:22Z", "mfaAuthenticated": "false" } }, "onBehalfOf": { "userId": "11111111-1111-1111-1111-1111111111", "identityStoreArn": "arn:aws:identitystore::111111111111:identitystore/d-111111111" } }