OIDC with AWS

See the general OIDC documentation before diving into the AWS-specific setup.

AWS Specific Setup

When configuring the token in the Mint Vault UI, it's customary to name the token aws and set the audience to sts.amazonaws.com. You can then reference the token in your Mint run with:

${{ vaults.your_vault.oidc.aws }}

After configuring AWS to accept the token, you can use the aws/assume-role leaf and pass the token in via the oidc-token parameter. See the documentation for the aws/assume-role leaf.

OIDC Provider

See the AWS documentation on Creating OpenID Connect (OIDC) identity providers.

Set the provider URL to https://cloud.rwx.com/mint

Set the audience to the value that you configured in the Mint Vault UI, which is customarily sts.amazonaws.com

OIDC Role

Follow the AWS documentation on creating a role for OpenID Connect Federation.

You'll want to add a condition based on the aud and sub claims of the OIDC token.

You can find the vault that you should set for sub in the Vaults UI for the token that you configured.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::012345678910:oidc-provider/cloud.rwx.com/mint"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cloud.rwx.com/mint:aud": "sts.amazonaws.com",
          "cloud.rwx.com/mint:sub": "mint:your-org-uuid:your_vault_name"
        }
      }
    }
  ]
}