IAM Condition keys: How to access nested attributes in custom OIDC token claims?


According to the docs, only a certain subset of claims in an OIDC token can be used as IAM condition keys.

After tinkering around with it for a bit, I discovered that the email claim is also supported (i.e. foo.onelogin.com/oidc/2:email), however this is not documented.

Assuming I have an ID token like the following:

  "sub": "...",
  "email": "my-email@example.com",
  "preferred_username": "some-user",
  "name": "Some Person",
  "params": {
    "department": "engineering"
  "at_hash": "...",
  "sid": "....",
  "aud": "....",
  "exp": 1643911968,
  "iat": 1643904768,
  "iss": "https://foo.onelogin.com/oidc/2"

How would one be able to create a trust policy that restricts access based on params.department?

The following trust policy does not work:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::1234:oidc-provider/foo.onelogin.com/oidc/2"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "foo.onelogin.com/oidc/2:params.department": "engineering",
          "foo.onelogin.com/oidc/2:aud": "...."
已提問 2 年前檢視次數 116 次