đĨ¸ AWS Session Tags for OIDC
With OpenID Connect (OIDC), clients can authenticate users or applications through an Authorization Server, ensuring secure interaction with third-party apps such as cloud providers. Though env0 supports OIDC and has special claims for authentication control, there were some limitations in using it with AWS. We have now integrated AWS with additional claims, allowing you to grant deployment-specific access to your AWS account.
⨠AWS Session Tags â¨
The OIDC token, with each env0 deployment, included additional claims like the organization id, project id, and deployer email, to give you more control over who can access your cloud account and with which role.
However, with AWS you couldn't use the custom claims in your JWT token as other vendors allow. Instead, AWS supports session tags. Using your (AWS IAM Role) trust policy, you can verify those tags, and add rules on top of them as you please.
Now, we added new claims to the JWT token that includes a new claim called https://aws.amazon.com/tags which will include a principal_tags section with the following claims:
organizationId- The env0 Organization IDprojectId- The env0 Project IDtemplateId- The env0 Template IDenvironmentId- The env0 Environment IDdeployerEmail- The email address of the user who created this deployment
You can read more about how to set it up with env0 here and more about AWS Session tags here
Breaking Change
This introduces a breaking change! You will need to add the
sts:TagSessionpermission to the role for any existing AWS Role authenticating with OIDC, whether you're using session tags or not. This feature will be released on the 19th of June.