Configuring OpenID Connect for AWS
This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with AWS. OIDC in AWS uses a web identity provider to assume an IAM role. Access to the IAM role is authorized using a trust policy that validates the contents of the OIDC token issued by the Pulumi Cloud.
Prerequisites
- You must be an admin of your Pulumi organization.
Create the Identity Provider
- In the navigation pane of the IAM console, choose Identity providers, and then choose Add provider.
- In the Provider type section, click the radio button next to OpenID Connect.
- For the Provider URL, provide the following URL:
https://api.pulumi.com/oidc
- Click the Get thumbprint button.The AWS console generates the thumbprint value on your behalf. However, if you are creating the OIDC provider programmatically, you will need to generate this value yourself and provide the thumbprint value as a part of your resource definition. You can learn more about what a thumbprint is and how to generate/verify it by referring to the relevant AWS documentation.
- For the Audience field, the value will differ between pulumi deployments and ESC. For Deployments the value is only the name of your Pulumi organization. For ESC the value is the name of your Pulumi organization prefixed with
aws:
(e.g.aws:{org}
). Then click Add provider.For environments in thedefault
project the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments.
Configure the IAM Role and Trust Policy
Once you have created the identity provider, you will see a notification at the top of your screen prompting you to assign an IAM role.
- Click the Assign role button.
- Select the Create a new role option, then click Next.
- On the IAM Create role page, ensure the Web identity radio button is selected.
- In the Web identity section:
- Select
api.pulumi.com/oidc
under Identity provider. - Select the name of your Pulumi organization under Audience. Then click Next.
- Select
- On the Add permissions page, select the permissions that you want to grant to your Pulumi service. Then click Next.
- Provide a name and optional description for the IAM role. Then click Create role.
Make a note of the IAM role’s ARN; it will be necessary to enable OIDC for your service.
For more granular access control, edit the trust policy of your IAM role with Token claims for each service. The sub
claim can be customized as shown below.
Pulumi Deployments
In the following example, the role may only be assumed by stacks within the Core
project of the contoso
organization:
"Condition": {
"StringEquals": {
"api.pulumi.com/oidc:aud": "contoso"
},
"StringLike": {
"api.pulumi.com/oidc:sub": "pulumi:deploy:org:contoso:project:Core:*"
}
}
Pulumi ESC
Consider the following ESC definition for project/development
environment opened by user personA
:
values:
aws:
login:
fn::open::aws-login:
oidc:
...
subjectAttributes:
- currentEnvironment.name
- pulumi.user.login
The OIDC subject claim for this environment would be pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:personA
. The role may only be assumed by project/development
environment and user personA
within the contoso
organization:
"Condition": {
"StringEquals": {
"api.pulumi.com/oidc:aud": "aws:contoso",
"api.pulumi.com/oidc:sub": "pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:personA"
}
}
The subject always contains the prefix pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}
and every key configured will be appended to this prefix. The list of all possible options for subjectAttributes
are:
rootEnvironment.name
: the name of the environment that is opened first. This root environment in turn opens other imported environmentscurrentEnvironment.name
: the full name (including the project) of the environment where the ESC login provider andsubjectAttributes
are definedpulumi.user.login
: the login identifier of the user opening the environmentpulumi.organization.login
: the login identifier of the organization
When importing multiple environments into Pulumi IaC Stack Config, each environment is resolved separately. For example, if you import multiple environments into your Pulumi Stack with rootEnvironment.name
attribute defined in all of them, then each rootEnvironment.name
will resolve to the environment name where it is defined.
The default format of the subject claim when subjectAttributes
are not used is pulumi:environments:org:<organization name>:env:<project name>/<environment name>
default
project, the project will not be present in the subject to preserve backwards compatibility. The format of the subject claim when subjectAttributes
are not set is pulumi:environments:org:<organization name>:env:<environment name>
. If currentEnvironment.name
is used as a custom subject attribute it will resolve to only the environment name (e.g. pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA
). Due to this it is recommended to move your environments out of the default
project for best security practices.pulumi:environments:org:contoso:env:<yaml>
. The literal value of <yaml>
need to be used and will be the same for all environments. Hence, for best security practices we recommend using subjectAttributes
. If you want to set environment level or even granular permissions in your trust policy, then we recommend using subjectAttributes
property.Configure OIDC via the Pulumi Console
Pulumi Deployments
- Navigate to your stack in the Pulumi Console.
- Open the stack’s “Settings” tab.
- Choose the “Deploy” panel.
- Under the “OpenID Connect” header, toggle “Enable AWS Integration”.
- Enter the ARN of the IAM role to created above in the “Role ARN” field.
- Enter a name for the assumed role session in the “Session Name” field.
- If you would like to use additional policies to further constrain the session’s capabilities, enter the policies’ ARNs separated by commas in the “Policy ARNs” field.
- If you would like to constrain the duration of the assumed role session, enter a duration in the form “XhYmZs” in the “Session Duration” field.
- Click the “Save deployment configuration” button.
With this configuration, each deployment of this stack will attempt to exchange the deployment’s OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and AWS_SESSION_TOKEN
environment variables. The raw OIDC token is also available for advanced scenarios in the PULUMI_OIDC_TOKEN
environment variable and the /mnt/pulumi/pulumi.oidc
file.
Pulumi ESC
To configure OIDC for Pulumi ESC, create a new environment in the Pulumi Console. Make sure that you have the correct organization selected in the left-hand navigation menu. Then:
Click the Environments link.
Click the Create environment button.
Provide a project to create your new environment in and a name for your environment.
Click the Create environment button.
You will be presented with a split-pane editor view. Delete the default placeholder content in the editor and replace it with the following code:
values: aws: login: fn::open::aws-login: oidc: duration: 1h roleArn: <your-oidc-iam-role-arn> sessionName: pulumi-environments-session subjectAttributes: - currentEnvironment.name - pulumi.user.login environmentVariables: AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId} AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey} AWS_SESSION_TOKEN: ${aws.login.sessionToken}
Replace
<your-oidc-iam-role-arn>
with the value from the previous steps.Scroll to the bottom of the page and click Save.
You can validate that your configuration is working by running either of the following:
esc open <your-org>/<your-project>/<your-environment>
command of the ESC CLIpulumi env open <your-org>/<your-project>/<your-environment>
command of the Pulumi CLI
Make sure to replace <your-org>
, <your-project>
, and <your-environment>
with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following:
{
"aws": {
"login": {
"accessKeyId": "ASIA....",
"secretAccessKey": "rtBS....",
"sessionToken": "Fwo...."
}
},
"environmentVariables": {
"AWS_ACCESS_KEY_ID": "ASIA....",
"AWS_SECRET_ACCESS_KEY": "rtBS....",
"AWS_SESSION_TOKEN": "Fwo...."
}
}
To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the relevant Pulumi documentation
Automate OIDC Configuration
Our Examples repository provides a wide variety of automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and AWS, take a look at the following examples to help you get started:
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.