DocumentationAPI ReferenceTerraform ProviderStatus PageSchedule a DemoFree Trial
Back to All

🥸 AWS Session Tags for OIDC

11 months ago by Omry Hay

With OpenID Connect (OIDC), clients can authenticate users or applications through an Authorization Server, ensuring secure interaction with third-party apps such as cloud providers. Though env0 supports OIDC and has special claims for authentication control, there were some limitations in using it with AWS. We have now integrated AWS with additional claims, allowing you to grant deployment-specific access to your AWS account.

✨ AWS Session Tags ✨

The OIDC token, with each env0 deployment, included additional claims like the organization id, project id, and deployer email, to give you more control over who can access your cloud account and with which role.

However, with AWS you couldn't use the custom claims in your JWT token as other vendors allow. Instead, AWS supports session tags. Using your (AWS IAM Role) trust policy, you can verify those tags, and add rules on top of them as you please.

Now, we added new claims to the JWT token that includes a new claim called https://aws.amazon.com/tags which will include a principal_tags section with the following claims:

  1. organizationId - The env0 Organization ID
  2. projectId - The env0 Project ID
  3. templateId - The env0 Template ID
  4. environmentId - The env0 Environment ID
  5. deployerEmail - The email address of the user who created this deployment

You can read more about how to set it up with env0 here and more about AWS Session tags here

❗️

Breaking Change

This introduces a breaking change! You will need to add the sts:TagSession permission to the role for any existing AWS Role authenticating with OIDC, whether you're using session tags or not. This feature will be released on the 19th of June.

:pencil2: Related Content

OIDC Integration

OIDC With AWS

OIDC With AWS With Custom Claims

AWS Session Tags