aws-runas
This page provides a deeper look at the configuration used by aws-runas with OIDC single sign-on integration. One benefit of the OIDC capability is that there is no requirement to store a set of static AWS credentials on the system, with the drawback of needing to be an engaged participant in the OIDC authentication process (supplying username, password and any necessary multi-factor actions). This page is meant as a generic configuration reference for using aws-runas with OIDC authentication. For information about the configuration for a specific OIDC provider (Okta, Keycloak, etc) see the OIDC Client Configuration Guide
AWS uses the term Web Identity when referring to assuming roles using an OIDC identity. You will see both terms in the aws-runas documentation, and the terms can be considered equivalent (except for cases where the Assume Role With Web Identity API call, or configuration attributes, are specifically mentioned).
Configuration File
The configuration file is an ini-formatted file used to store AWS profile configuration. By default, the AWS SDK looks
for a file name ‘config’ in a directory called .aws inside a user’s home directory. If you need to use a non-default
configuration file location, you can set the AWS_CONFIG_FILE environment variable to the location of the file on the
system.
To use aws-runas effectively, especially if you use multiple roles, it’s advisable to set up profiles using this file.
Default Section
The configuration file should contain a [default] section, where top-level/global configuration is set. Per-profile
values can still be set in each profile’s section, which will be preferred over settings in the default section.
A simple default section could look something like:
[default]
region = us-east-1
However, only having a default section won’t make aws-runas a very useful tool, read the section below about configuring profiles to learn how to configure a profile for assuming a role.
Profile Sections
Profile sections in the configuration file are what is used to provide the settings used to assume a role using Web Identity integration with aws-runas. Since the OIDC integration configuration is specific to aws-runas, and not part of the larger AWS tool ecosystem, the configuration shown here would not be leveraged by tools such as the awscli.
The minimum profile configuration required for assuming a role using Web Identity (OIDC) looks like this:
[profile my-profile]
web_identity_auth_url = https://example.org/oauth2
web_identity_client_id = myClientID
web_identity_redirect_uri = app:/callback
role_arn = arn:aws:iam::012345678901:role/my-role
This configures a profile named ‘my-profile’ to assume a role called ‘my-role’ in the fictitious AWS account
012345678901 using the credentials obtained from the OIDC identity provider identified in the web_identity_auth_url
attribute. One thing to make note of is the word ‘profile’ before the actual profile name in the section heading (the
stuff between the [] brackets), this is an oddity of the logic AWS uses to process the config file, and is necessary for
any non-default profile you’ll configure.
If the OIDC authentication flow requires that you use multi-factor authentication, you will be prompted to perform the MFA action, depending on which types of multi-factor authentication are supported by the identity provider, and configured for the user’s account.
A profile’s configuration also allows you to override settings set in the default profile, or the configuration in the profile referenced in the ‘source_profile’ attribute. For example, if the default section configures the region as ‘us-east-1’ (like above), you can set the region attribute inside the profile configuration, which will override the default value when using that profile.
If you have multiple profiles configured, all using the same web_identity_* attributes, it can become tedious, and redundant, to copy those attribute between all the profiles. The aws-runas tool supports setting common configuration for OIDC attributes in the profile referenced in the source_profile attribute, or in the default section.
The following example demonstrates how to set up the .aws/config file for OIDC authentication using common attributes,
which will be used for every profile configured with source_profile = oidc.
[default]
region = us-east-1
[profile oidc]
web_identity_auth_url = https://example.org/oauth2
web_identity_client_id = myClientID
web_identity_redirect_uri = app:/callback
[profile my-role]
source_profile = oidc
role_arn = arn:aws:iam::012345678901:role/my-role
[profile other-role]
region = us-west-2
source_profile = oidc
role_arn = arn:aws:iam::567890123456:role/other-role
Custom Configuration File Attributes
In addition to the required parameters shown above, the program supports other configuration attributes for the profiles defined in the .aws/config file for using OIDC integration. These attributes are specific to aws-runas and will be ignored by other tools leveraging the AWS SDK.
web_identity_usernameThis attribute sets the username to use when performing OIDC authentication. If not set, aws-runas will prompt for the value to be input via the command line.web_identity_providerThis attribute allows you to explicitly specify the OIDC provider to use, and bypass the auto-detection logic. This may be useful for cases where the auto-detection logic fails, or is blocked by a CDN or WAF. The value is treated as case-insensitive, but must be one of the supported providers, otherwise aws-runas will fail with the error:panic: unable to determine client provider typejump_role_arnFor cases where you will perform OIDC authentication to assume an initial (jump) role to retrieve credentials which allow you to assume a role in the target AWS account, configure this value with the role ARN needed for the initial role. Your AWS IAM or identity provider administrator should know if you need to configure this attribute, and the value to set.credentials_durationThis attribute specifies the lifetime of the assume role credentials requested by aws-runas. Except for a narrow set of cases, it’s usually safe to leave this setting at the default value of 1h. Valid values are between 15m and 12h, however setting this value above the default 1h requires the IAM role in AWS to be configured to allow the extended duration. Attempts to set a duration longer than the IAM role can support will cause aws-runas to fail with an error.mfa_typeUse this attribute to force a specific MFA type instead of the provider auto-detection logic.
Values for the credentials_duration property are specified as golang time.Duration strings.
(See https://golang.org/pkg/time/#ParseDuration for more info) The scope
of these settings are determined by where they are set in the profiles. The most specific setting is used, so a value
specified in a role profile will be used instead of a value defined in the default section.
Web Identity Credentials
There are multiple ways to provide an OIDC password to aws-runas for you to authenticate with the identity provider. If none of the below methods are used, aws-runas will prompt for the password when required.
Credentials File (preferred)
A password can be set in the AWS credentials file, which will be used if neither the command line option, nor environment variable are detected. This is the most secure way to use a password for an external identity provider with aws-runas, as the value stored in the credentials file is obfuscated to keep the raw value out of the file. This is no more or less secure than storing a set of static AWS credentials in the file, as is the case with non-OIDC profiles.
To set a password in the credentials file, run aws-runas password <profile>, substituting the OIDC-enabled profile name
for <profile>. This will prompt you for the password value, and write the obfuscated information to the credentials file.
If the password for the identity provider is changed, you are required to update aws-runas using the aws-runas password ...
command, otherwise the old password value is used, and the authentication will fail. There is a risk of locking out your
account in the identity provider if there are too many authentication failures. (This behavior is specific to the settings
of the identity provider, work with your identity provider administrator for more information.)
Command Line Option
The -P option allows you to specify the password directly on the command line. This is the least secure way to
provide the password, as anyone on the system can inspect the options used by the command and see the raw password value.
Environment Variable
Setting the WEB_IDENTITY_PASSWORD environment variable will pass the value to aws-runas to as the password for authentication.
This is slightly more secure than the -P flag, but anyone on the system capable of viewing the running program’s
environment will be able to see the raw password value.
Environment Variables
Standard AWS SDK environment variables are supported by this program. (See
https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config#EnvConfig)
Most will be passed through to the calling program except for the AWS_PROFILE environment variable, which will be explicitly
unset before aws-runas executes the program supplied as an argument to aws-runas. (It only affects the environment
variable for the execution of aws-runas, the setting in the original environment is unaffected) If your code relies on
the value of that AWS_PROFILE environment variable, it will be reflected to the program under a new environment
variable called AWSRUNAS_PROFILE
If the AWS_PROFILE environment variable is set, it will be used in place of the ‘profile’ argument to the command. In
this example, the ‘aws s3 ls’ command will be executed using the profile ‘my_profile’
$ AWS_PROFILE=my_profile aws-runas aws s3 ls
Additionally, the custom config attributes mentioned above are also available as the environment variables
CREDENTIALS_DURATION, WEB_IDENTITY_AUTH_URL, WEB_IDENTITY_USERNAME, WEB_IDENTITY_PROVIDER, JUMP_ROLE_ARN,
and MFA_TYPE
Additional References
See the following for more information on AWS SDK configuration files: