Install Self-Hosted
Get Started on Cloud
BasicsPipelinesActions & ServicesIntegrationsSelf-HostedYAMLBuddy GitTroubleshootingAPI

OIDC for AWS

What is AWS OIDC

OIDC (OpenID Connect) authentication in AWS allows users to securely access AWS resources using OIDC-compatible identity providers. Built on top of OAuth 2.0 protocol, it enables clients to verify user identity based on server-based authorization.

As an alternative to access token authorization, Buddy web application provides OIDC support for pipeline integration with Amazon cloud services, and SSO login.

In this guide you will learn how to configure OIDC for your identity in the Amazon management console.

Success
Learn how to configure claims in an Open ID token.
Hint
Check how to configure OIDC for SSO workspace authentication.

OIDC provider configuration

  1. Sign in to your AWS account and open the AWS Identity and Access Management (IAM) dashboard.
  2. Go to Access ManagementIdentity providers.
  3. Click Add provider.

  4. Switch the type to OpenID Connect and fill in the details:

    • Provider URLhttps://oidc.buddyusercontent.com (US accounts) or https://eu-oidc.buddyusercontent.com (EU accounts)
    • Audiencehttps://app.buddy.works/WORKSPACE_URL_HANDLE or custom

Image loading...Adding AWS identity provider

  1. Click Add provider to continue.

Adding new role

  1. Navigate to Access ManagementRoles and click Create Role.
  2. Switch the type to Web identity, and select the created identity provider and audience:

Image loading...Creating IAM role

  1. Proceed to the next step and define the permission policies.
  2. Proceed to the next step and define the role's name, description and tags.
  3. Click Create to add the role, then go to its details and copy the role's ARN.

Image loading...IAM role details

Buddy configuration

  1. Sign in to your Buddy account and go to Integrations.
  2. Click New integration and select AWS.

  3. Define the integration details:

    • enter the name and define the sharing scope
    • switch the authorization method to OIDC
    • paste the ARN from the AWS role
    • paste the audience from the OIDC provider → https://app.buddy.works/WORKSPACE_URL_HANDLE or custom

Image loading...OIDC integration configuration

  1. Click the button to finish configuration.

Restricting role to integration

Warning
To ensure that your AWS role is restricted exclusively to this integration, you must define additional conditions for it.
  1. Go to the created integration in Buddy and copy the Subject.
  2. Switch to AWS and go to the role details.
  3. Switch to the Trust relationships and click Edit trust policy.
  4. Change the condition to the following:
json
"Condition": {
  "StringEquals": {
    "oidc.buddyusercontent.com:aud": "https://app.buddy.works/WORKSPACE_URL_HANDLE",
    "oidc.buddyusercontent.com:sub": "AWS_INTEGRATION_SUBJECT"
  }
}

Image loading...Restricting role to integration

Last modified on Sep 23, 2024

Previous pageRequired policiesNext pageConfiguration