With OpenID Connect (OIDC), clients can authenticate users or applications through an Authorization Server, ensuring secure interaction with third-party apps such as cloud providers. Though env0 supports OIDC and has special claims for authentication control, there were some limitations in using it with AWS. We have now integrated AWS with additional claims, allowing you to grant deployment-specific access to your AWS account.
The OIDC token, with each env0 deployment, included additional claims like the organization id, project id, and deployer email, to give you more control over who can access your cloud account and with which role.
However, with AWS you couldn't use the custom claims in your JWT token as other vendors allow. Instead, AWS supports session tags. Using your (AWS IAM Role) trust policy, you can verify those tags, and add rules on top of them as you please.
Now, we added new claims to the JWT token that includes a new claim called
https://aws.amazon.com/tags which will include a
principal_tags section with the following claims:
organizationId- The env0 Organization ID
projectId- The env0 Project ID
templateId- The env0 Template ID
environmentId- The env0 Environment ID
deployerEmail- The email address of the user who created this deployment
This introduces a breaking change! You will need to add the
sts:TagSessionpermission to the role for any existing AWS Role authenticating with OIDC, whether you're using session tags or not. This feature will be released on the 19th of June.