Configuring OpenID Connect Role Policies for Enterprise Applications

Question

Pulumi · Accepted Answer

OpenID Connect (OIDC) is an authentication protocol that allows users to be authenticated by co-operating sites, known as Relying Parties (RPs), using a third-party authentication service.

When configuring OIDC role policies for enterprise applications, you would typically set up an Identity Provider (IdP) that handles authentication and then configure your cloud provider and application to trust this IdP. In a cloud environment, like AWS or Azure, you can set up roles that trust the IdP. These roles can then be assumed by federated users when the IdP asserts their identity.

In the context of Pulumi, configuring OIDC role policies involves creating cloud resources with the appropriate IAM policies configured to trust an OIDC IdP. Below I'll show you how you can configure an AWS IAM role for OIDC using Pulumi in Python.

The resource we'll use for this is `AssumableRoleWithOIDC` from the `aws-iam` Pulumi package, which helps in creating an AWS IAM Role with an OIDC Federation trust policy. This role can be assumed by applications authenticated through the OIDC provider.

Let's write a Pulumi program that creates such a role:

1. **Define the OIDC provider**: Set up an OIDC identity provider in AWS IAM.
2. **Create a role for your application**: This IAM role will be assumable by entities (like services, applications) authenticated by the OIDC provider.
3. **Attach policies to the role**: Define permissions for the application by attaching IAM policies.

Here's what this could look like in Pulumi using Python:

```python
import pulumi
import pulumi_aws as aws

# Your OIDC provider URL and audience.
# Typically, these are obtained from the IdP that manages your enterprise identities.
# For example, if you're using Google Identity as your IdP, the issuer_url will be
# something like "https://accounts.google.com" and the client_id will be the
# OAuth 2.0 Client ID.
oidc_provider_url = 'https://example-oidc-provider.com/'
oidc_client_id = 'example-app-client-id'

# Create an OIDC Provider in AWS IAM
oidc_provider = aws.iam.OpenIdConnectProvider('example-oidc-provider',
    url=oidc_provider_url,
    client_id_lists=[oidc_client_id],
    thumbprint_lists=['example-thumbprint'])

# Create an IAM role that can be assumed by the OIDC provider
oidc_role = aws.iam.Role('example-oidc-role',
    assume_role_policy=aws.iam.get_policy_document(statements=[{
        # The 'Effect' is "Allow" because we are specifying a trust relationship
        # that allows entities assuming this role.
        'Effect': 'Allow',
        'Principal': {
            'Federated': oidc_provider.arn,
        },
        'Action': 'sts:AssumeRoleWithWebIdentity',
        # Condition that specifies the requested OIDC ID (sub) matches the OIDC subject
        'Condition': {
            'StringEquals': {
                f'{oidc_provider.url}:sub': 'system:serviceaccount:example-namespace:example-serviceaccount'
            }
        },
    }]).json)

# Create an IAM policy that defines the permissions the role will grant
example_policy = aws.iam.Policy('example-policy',
    policy="""{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:*"
                ],
                "Resource": "*"
            }
        ]
    }"""
)

# Attach the policy to the role
role_policy_attachment = aws.iam.RolePolicyAttachment('example-role-policy-attachment',
    role=oidc_role.name,
    policy_arn=example_policy.arn
)

# Export the role ARN so it can be used by the application to assume the role
pulumi.export('oidc_role_arn', oidc_role.arn)
```

In this program, we create an IAM OIDC provider by specifying the OIDC issuer URL and a client ID list which includes the client ID your IdP assigns to your application. We then create an IAM role with an assume role policy that trusts the OIDC provider. The role contains a condition that matches against the 'sub' claim from the OIDC token, which must match a specific value, 'system:serviceaccount:example-namespace:example-serviceaccount' in this case. This ensures only certain subjects authenticated by the OIDC provider can assume the role.

We also define an IAM policy ('example-policy') with specific permissions (in this case, unrestricted S3 access, which you should restrict to your use case) and attach this policy to the created IAM role. Finally, we export the ARN of the IAM role so it can be used outside of Pulumi, such as by a CI/CD system deploying your enterprise application.

Keep in mind to replace `oidc_provider_url`, `oidc_client_id`, and the `assume_role_policy`'s condition with values corresponding to your OIDC provider and your application's needs.