Auth0 Home Blog Docs

How to set audience for AWS IAM Identity Provider configuration?


#1

I’m trying to generate temporary credentials in AWS using the AssumeRoleWithWebIdentity endpoint, with Auth0 as my Identity Provider. I’ve got everything set up correctly as far as I can tell, but I can’t seem to figure out how to set the audience properly so that the IAM IdP configuration and Auth0 agree. I’ve gone so far as to create a custom API hoping that by setting its identifier to a non-URL that would let me set the audience for Auth0 calls against this API, but it seems like it still uses the domain as audience, vs. the name I chose.

That is, I have set the identifier/audience in my custom API to be test-auth0-integration-2018-07-09, and when I make the initial call with that audience, it appears to work (swapped out names/credentials below if it’s not obvious):

$ curl --request POST \
>   --url https://my-app.auth0.com/oauth/token \
>   --header 'content-type: application/json' \
>   --data '{"client_id":"<client-id>","client_secret":"<client-secret>,"audience":"test-auth0-integration-2018-07-09","grant_type":"client_credentials"}'

# Response:
{"access_token":"<some-token>","expires_in":86400,"token_type":"Bearer"}

Then I make the call to STS with the token I got back:

$ curl --request POST --url "https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&Version=2011-06-15&RoleArn=<some-arn>&RoleSessionName=me&WebIdentityToken=<some-token>"

…and it fails, and the audience is the URL vs. the identifier, as I had hoped:

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>InvalidIdentityToken</Code>
    <Message>No OpenIDConnect provider found in your account for https://my-app.auth0.com/</Message>
  </Error>
  <RequestId>0e43d2f0-839d-11e8-9480-c9663281aad0</RequestId>
</ErrorResponse>

What am I doing wrong? How do I set the audience on the Auth0 side so it is consistent with what I have in my IAM IdP config on the AWS side?

Thanks!


#2

I figured it out. You need to use the Auth0 client ID as the audience everywhere the IAM config asks for it, apparently (IdP settings, and in the associated role’s trust relationship).