- Newest
- Most votes
- Most comments
That's an expected behavior. When you want to configure an existing role to be assumable by the OIDC federation provider, you just need to allow it on the role trust policy. So, when you click on the button "Use an existing role" you get redirected to the IAM Role web page. Then you search for the role you want to allow, and then edit the trust policy. Your new trust policy, will look like something like this:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Federated": "cognito-identity.amazonaws.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {"cognito-identity.amazonaws.com:aud": "us-east-2:12345678-abcd-abcd-abcd-123456"},
"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"}
}
}
}
Where you will have to adapt your AUD to align it to your OIDC provider created in IAM. You have all the details described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
Hope this helps.
Best.
Hi Owais,
It seems like there might be a bug or a permissions issue. You could try clearing your browser cache, using a different browser, or checking the role's trust relationship settings.
Could be bug as I have tried different browsers and Trust relation also works(tested with creating new role)
I did that recently in a post I wrote: https://medium.com/aws-in-plain-english/no-long-term-aws-credentials-in-your-pipeline-secure-github-actions-0420127b89ea.
For AWS reference, you can look here: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/?source=post_page-----0420127b89ea--------------------------------
In post you are creating new role I am facing issue with using Existing one
Relevant content
- Accepted Answer
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
Yes, I get redirected to IAM page role selection page there But How I select role there is only option to create Role not assign to ODIC i created. Trust policy is fine and I tested with creating new role. But I want to use existing role which dont seems to be possible