The new trusted identity propagation feature in Amazon Web Services (AWS) allows users to seamlessly sign on to applications running in AWS using their workforce identity from identity providers like Okta or Microsoft Entra ID. This eliminates the need for users to be aware of different IAM roles to access data or use local database credentials. While some AWS managed applications offer a native setup experience for trusted identity propagation, there are use cases where custom integrations must be built. This blog post introduces a sample CLI application that enables users to access AWS services using their workforce identity from IdPs such as Okta or Microsoft Entra ID.
The solution involves users authenticating with their chosen IdP using OAuth 2.0 authentication flows to receive an identity token. This token can then be exchanged against AWS STS and AWS IAM Identity Center to access data on behalf of the workforce identity used to sign in to the IdP. By integrating with the AWS CLI, users can natively access AWS services on behalf of their signed-in identity.
To set up the solution, users must have a basic understanding of trusted identity propagation and S3 Access Grants concepts and features. They can learn more about the setup process by referring to previous blog posts on developing a user-facing data application with IAM Identity Center and S3 Access Grants. The architecture of the CLI application facilitates token exchange between different parties, enabling users to interact with AWS services representing their workforce identity.
Users will need two AWS accounts to implement the solution, one for the application setup and the other as the Identity Center admin account. The setup involves creating an OIDC application in Okta and a custom application in IAM Identity Center. The CLI application allows users to generate an AWS CloudFormation template to create the required IAM roles for the token exchange process.
Once the application is installed and configured, users can query Athena tables, interact with Amazon Q Business, and access S3 objects using the AWS CLI. The application streamlines access to S3 Access Grants, enabling users to retrieve short-lived IAM credentials to access specific S3 URIs. Overall, this solution demonstrates how trusted identity propagation can simplify access to AWS services for business users, without the need for IAM credentials or complex configurations.
Article Source
https://aws.amazon.com/blogs/security/access-aws-services-programmatically-using-trusted-identity-propagation/
