By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM ODIC attaching existing role

0

I am creating ODIC for github but after creating ODIC Attachting existing IAM role does not work only creating new IAM roles. Once you click on add existing role it takes you to role page and that's it.

Enter image description here

Enter image description here

Enter image description here

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
Owais
asked a month ago115 views
3 Answers
1

That's an expected behavior. When you want to configure an existing role to be assumable by the OIDC federation provider, you just need to allow it on the role trust policy. So, when you click on the button "Use an existing role" you get redirected to the IAM Role web page. Then you search for the role you want to allow, and then edit the trust policy. Your new trust policy, will look like something like this:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {"Federated": "cognito-identity.amazonaws.com"},
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {"cognito-identity.amazonaws.com:aud": "us-east-2:12345678-abcd-abcd-abcd-123456"},
            "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"}
        }
    }
}

Where you will have to adapt your AUD to align it to your OIDC provider created in IAM. You have all the details described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

Hope this helps.

Best.

profile pictureAWS
JuanEn_G
answered a month ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • Owais
    a month ago

    Yes, I get redirected to IAM page role selection page there But How I select role there is only option to create Role not assign to ODIC i created. Trust policy is fine and I tested with creating new role. But I want to use existing role which dont seems to be possible

0

Hi Owais,

It seems like there might be a bug or a permissions issue. You could try clearing your browser cache, using a different browser, or checking the role's trust relationship settings.

profile picture
Vitor Castellani
answered a month ago
  • Owais
    a month ago

    Could be bug as I have tried different browsers and Trust relation also works(tested with creating new role)

0

I did that recently in a post I wrote: https://medium.com/aws-in-plain-english/no-long-term-aws-credentials-in-your-pipeline-secure-github-actions-0420127b89ea.

For AWS reference, you can look here: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/?source=post_page-----0420127b89ea--------------------------------

profile picture
EXPERT
Antonio_Lagrotteria
answered a month ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • Owais
    a month ago

    In post you are creating new role I am facing issue with using Existing one

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content