OIDC
Buddy supports OIDC for pipeline integration with Amazon cloud services, and SSO login. In this guide you will learn how to configure OIDC for pipelines.
OIDC provider configuration
- Sign in to AWS IAM and go to Access Management → Identity providers.
- Click Add provider.
Switch the type to OpenID Connect and fill in the details:
- Provider URL →
https://oidc.buddyusercontent.com(US accounts) orhttps://eu-oidc.buddyusercontent.com(EU accounts) - Audience →
https://app.buddy.works/WORKSPACE_URL_HANDLEor custom
- Provider URL →
- Click Add provider to continue.
Adding new role
- Go to Access Management → Roles and click Create Role.
- Switch the type to Web identity, and select the created identity provider and audience:
- Proceed to the next step and define the permission policies.
- Proceed to the next step and define the role's name, description and tags.
- Click Create to add the role, then go to its details and copy the role's ARN.
Buddy configuration
- Sign in to your Buddy account and go to Integrations.
- Click New integration and select AWS.
Define the integration details:
- enter the name and define the sharing scope
- switch the authorization method to OIDC
- paste the ARN from the AWS role
- paste the audience from the OIDC provider →
https://app.buddy.works/WORKSPACE_URL_HANDLEor custom
- Click the button to finish configuration.
Restricting role to integration
To ensure that your AWS role is restricted exclusively to this integration, you must define additional conditions for it.
- Go to the created integration in Buddy and copy the Subject.
- Switch to AWS and go to the role details.
- Switch to the Trust relationships and click Edit trust policy.
- Change the condition to the following:
"Condition": {
"StringEquals": {
"oidc.buddyusercontent.com:aud": "https://app.buddy.works/WORKSPACE_URL_HANDLE",
"oidc.buddyusercontent.com:sub": "AWS_INTEGRATION_SUBJECT"
}
}
Last modified on July 27, 2023