Sample connection profiles for S3 and OpenID Connect Federation

[dkocher]

With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. ¹

The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy. The call to AssumeRoleWithWebIdentity should include the ARN of the role that is specific to the provider through which the user signed in.

→ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity

With support to retrieve authentication tokens for S3 using the STS APIs ² we should provide (sample) connection profiles for typical providers supported.

• Allow connection profiles to use custom STS and OIDC endpoints cyberduck#14972

General connection profile blueprint

<?xml version="1.0" encoding="UTF-8"?>
<!--
  ~ Copyright (c) 2002-2023 iterate GmbH. All rights reserved.
  ~ https://cyberduck.io/
  ~
  ~ This program is free software; you can redistribute it and/or modify
  ~ it under the terms of the GNU General Public License as published by
  ~ the Free Software Foundation, either version 3 of the License, or
  ~ (at your option) any later version.
  ~
  ~ This program is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  ~ GNU General Public License for more details.
  -->

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Protocol</key>
        <string>s3</string>
        <key>Vendor</key>
        <string>s3-sts</string>
        <key>OAuth Authorization Url</key>
        <string>…</string>
        <key>OAuth Token Url</key>
        <string>…</string>
        <key>OAuth Client ID</key>
        <string>…</string>
        <key>OAuth Client Secret</key>
        <string>…</string>
        <key>OAuth Redirect Url</key>
        <string>x-cyberduck-action:oauth</string>
        <key>OAuth PKCE</key>
        <false/>
        <key>Scopes</key>
        <array>
            <string>openid</string>
            <string>offline_access</string>
        </array>
        <key>Password Configurable</key>
        <false/>
        <key>Username Configurable</key>
        <false/>
        <key>Token Configurable</key>
        <false/>
        <key>Username Placeholder</key>
        <string>Username</string>
        <key>STS Endpoint</key>
        <string>https://sts.amazonaws.com/</string>
        <key>Properties</key>
        <array>
            <string>s3.assumerole.rolearn=arn:aws:iam::…</string>
        </array>
    </dict>
</plist>

Set s3.assumerole.rolearn= to an empty value for a prompt on login to enter it manually by the user.

🟢 AWS S3/STS + Keycloak (OIDC)

🟢 Minio S3/STS + Keycloak (OIDC)

🟥 AWS S3/STS + GitHub (OIDC) ^{3 4}

Prerequisites

• Configure OAuth App in GitHub ⁵
• Add the GitHub OIDC provider https://token.actions.githubusercontent.com to AWS IAM. For the Audience: Use sts.amazonaws.com ⁶
• Configure the role and trust policy in AWS IAM

❗ Currently not possible to integrate because the id-token endpoint does only seem to be accessible from GitHub actions.

🟢 AWS S3/STS + Google (OIDC) ⁷

• Register OAuth Client ID in Google Cloud Console or use the registration from Cyberduck connection profiles for Google Cloud Storage and Google Drive.
• Add the Google OIDC provider to AWS IAM. The Audience must be set to the OAuth Client ID like 996125414232-s922bvdt21nceeh5dq1gb6av8plpj7hr.apps.googleusercontent.com.
• Make sure to restrict access by configuring the role and trust policy

In the sample configuration the custom trust policy set for the IAM role in AWS, the condition limits access to a particular Google Account using

…
   "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "996125414232-s922bvdt21nceeh5dq1gb6av8plpj7hr.apps.googleusercontent.com",
          "accounts.google.com:sub": "SUBJECT_ID"
        }
      }
…

SUBJECT_ID can be obtained from the service account or regular account in the ID token returned from POST https://accounts.google.com/o/oauth2/token decoded as JWT.

• Include the following OAuth scopes in the connection profile

…
<key>Scopes</key>
<array>
    <string>openid</string>
</array>
…

• Set the property s3.assumerole.rolearn in the connection profile to the Role ARN. Set it to s3.assumerole.rolearn= for a prompt to enter on login.

🟥 AWS S3/STS + AWS IAM Identity Center ⁸

The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device
Authorization Grant standard (https://tools.ietf.org/html/rfc8628) that are necessary to enable single
sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed for native
applications, such as Authorization Code Flow (+ PKCE), will be addressed in future releases.

Use the S3 (Credentials from AWS Command Line Interface) connection profile instead.

🟢 AWS S3/STS + Azure AD (OIDC)

• Register OAuth Client ID in App Registrations of Azure Portal or use the registration from Cyberduck connection profiles for MIcrosoft OneDrive.
• Add the identity provider to AWS IAM. Obtain the thumbprint from https://login.microsoftonline.com/<tenant>/v2.0. The Audience must be set to the OAuth Client ID like f40bc18f-cd02-4212-b7f1-15243e4e2ad3.
• Configure the role and trust policy in AWS IAM
• Make sure to restrict access by configuring the role and trust policy

…
"Condition": {
    "StringEquals": {
        "login.microsoftonline.com/<tenant>/v2.0:sub": "ge3T50cKalgsarCE6vDa34_kTb_P08X229IeC7PWqT8"
        "login.microsoftonline.com/<tenant>/v2.0:aud": "f40bc18f-cd02-4212-b7f1-15243e4e2ad3"
    }
}
…

• Include the following OAuth scopes in the connection profile

…
<key>Scopes</key>
<array>
    <string>openid</string>
    <string>offline_access</string>
</array>
…

• Set the property s3.assumerole.rolearn in the connection profile to the Role ARN. Set it to s3.assumerole.rolearn= for a prompt to enter on login.

Footnotes

1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html ↩

2. Suport to login using temporary credentials from Security Token Service (STS API) using OpenID Connect web identity cyberduck#13804 ↩

3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub ↩

4. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services ↩

5. https://github.com/organizations/iterate-ch/settings/applications/2282978 ↩

6. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws ↩

7. https://cloud.google.com/storage-transfer/docs/source-amazon-s3#federated_identity ↩

8. https://docs.aws.amazon.com/pdfs/singlesignon/latest/OIDCAPIReference/ssooidc-api.pdf ↩

[dkocher]

• This requires changes from PR ¹ in progress.

Footnotes

1. Allow connection profiles to use custom STS and OIDC endpoints cyberduck#14972 ↩

[zeph]

well, I'd love to req. for the Minio S3/STS + Azure AD (OIDC) combo!
which is not listed above, but I assume keycloak's workflow or Azure shall be similar...

[dkocher]

well, I'd love to req. for the Minio S3/STS + Azure AD (OIDC) combo! which is not listed above, but I assume keycloak's workflow or Azure shall be similar...

This will be the same as this ¹ sample with the addition of the custom STS API endpoint defaults to sts.amazonaws.com using

        <key>STS Endpoint</key>
        <string>http://localhost:9000</string>

Footnotes

1. https://github.com/iterate-ch/profiles/pull/58/files#diff-e53b6ec1e08d75f4bc23fb3afa2557a3679cb7ea83770afcc671bd014213d9eb ↩

[flymg]

Wondering if AWS S3/STS + Azure AD (OIDC) can be used with a custom Enterprise Application and not the Cyberduck one. It seems the provider

    <key>Provider</key>
    <string>aws-s3-sts-azure-activedirectory-oidc</string>

always forces f40bc18f-cd02-4212-b7f1-15243e4e2ad3 even if a different one is set.

        <key>OAuth Client ID</key>
        <string>random_uuid</string>