Federating identity with AWS

About federating identity with AWS

Aporeto can provide your applications with shortlived AWS security tokens on demand via web identity federation. Using Aporeto as an OpenID Connect (OIDC) identity provider for your applications:

  • Makes it easy to obtain shortlived AWS security tokens.
  • Eliminates the need for storing, passing, or rotating long-lived credentials.
  • Allows you to use IAM roles for your applications instead of individual AWS accounts.

To enable applications to obtain AWS credentials from Aporeto, complete the following steps.


Local host:

Enforcer host:

Setting environment variables

  1. On your local host, set an AUDIENCE environment variable containing a value that identifies the applications allowed to access the third party resource. Applications that don’t provide the correct audience get rejected. You can use any string value.

    export AUDIENCE=i-deserve-a-token
  2. Set a NAMESPACE environment variable containing the namespace of the applications that will request credentials.

    export NAMESPACE=/acme/team-a
  3. Use the following command to retrieve the ID of the namespace and set it in a NAMESPACE_ID environment variable.

    export NAMESPACE_ID=$(apoctl api get namespace $NAMESPACE | jq --raw-output '.ID')
  4. Set your AWS account ID in an AWS_ACCOUNT_ID environment variable.

    export AWS_ACCOUNT_ID=523089932348


    You can find your AWS account ID under My Security Credentials in the AWS Management Console.

Enabling JSON web token signing

Issue the following command to enable JSON web token (JWT) signing in the namespace of the processing units.

apoctl api update namespace $NAMESPACE_ID -k JWTCertificateType RSA


For maximum interoperability, we set the algorithm to RSA above. To use the more secure ECDSA algorithm, replace RSA with EC. Both options use 256-bit keys. For more information about the algorithms, refer to RFC-7518.

Adding Aporeto as an AWS identity provider

  1. Open the AWS IAM Identity Providers page.

  2. Click Create Provider.

  3. Select OpenID Connect as the Provider Type.

  4. Return to your terminal and issue the following command to obtain the URL of your Aporeto identity provider. Copy the returned value to your clipboard.

    apoctl api list oauthinfo in namespace $NAMESPACE_ID | jq --raw-output '.[].issuer'
  5. Return to the AWS Management Console and paste the URL of your Aporeto identity provider into the Provider URL box.

  6. Select the audience that should be allowed.


    If you don’t remember the value you’re using for audience, type echo $AUDIENCE in your terminal.

  7. Click Next Step.

  8. Click Create.

  9. Return to your terminal and use the following command to create a JSON file containing the IAM policy for your Aporeto identity provider.

    cat >> idp_iam_policy.json <<EOL
    cat idp_iam_policy.json
  10. Use the following command to pass the policy file to AWS and create the IAM role.

    aws iam create-role --role-name aporeto-idp --assume-role-policy-document file://idp_iam_policy.json

    AWS should return a JSON object containing the role.

Creating a token scope policy

Use the following command to create a token scope policy.

cat <<EOF | apoctl api create tokenscopepolicy -n $NAMESPACE -f -
name: aws-tokens
description: AWS token scopes and claims
propagate: true
assignedAudience: "i-deserve-a-token"
- "@awsrole=arn:aws:iam::$AWS_ACCOUNT_ID:role/aporeto-idp"
- - "@auth:account=$AWS_ACCOUNT_ID"

Verifying the setup

  1. SSH into a host equipped with an enforcer in the namespace.

    ssh -i "private-key.pem"
  2. Ensure your AWS CLI credentials are cleared.

    aws configure
  3. Clear the following values.

    AWS Access Key ID [None]: 
    AWS Secret Access Key [None]:
  4. You must set your region. An example follows.

    Default region name [None]: us-west-2
  5. Check to see what your caller identity is.

    aws sts get-caller-identity

    It should return the name of the IAM role that you attached to your EC2 instance. An example follows.

      "UserId": "AROAIBVRWYRACESUSAFPK:i-0b23fc41ae2742d67",
      "Account": "523089932348",
      "Arn": "arn:aws:sts::523089932348:assumed-role/aporeto/i-0b53fc41af2742d67"
  6. Start a bash session wrapped by the Aporeto enforcer. Aporeto recognizes the bash session as a processing unit, allowing you to request an Aporeto token from the enforcer.

    enforcerd run /bin/bash
  7. Request an Aporeto token from the enforcer, save it in a file, and verify the result.

    curl -o aporeto-jwt -H "X-Aporeto-Metadata: secrets"
    cat aporeto-jwt
  8. Close the bash session.

  9. Set an AWS_WEB_IDENTITY_TOKEN_FILE environment variable containing the name of the file.

    export AWS_WEB_IDENTITY_TOKEN_FILE=aporeto-jwt
  10. Set an AWS_ROLE_ARN environment variable containing the name of the IAM role you created earlier.

    export AWS_ROLE_ARN="arn:aws:iam::523089932348:role/aporeto-idp"
    echo $AWS_ROLE_ARN
  11. Check your identity again.

    aws sts get-caller-identity

    It should return something like the following.

      "UserId": "AROA5PHZTVM2UXG4ECDIE:botocore-session-1582845857",
      "Account": "523089932348",
      "Arn": "arn:aws:sts::523089932348:assumed-role/aporeto-idp/botocore-session-1582845857"

Congratulations! You’ve succeeded in exchanging an Aporeto token for an AWS security token.

Next steps

To learn more about the token endpoint, check out the Enforcer API reference documentation .