pvillard31 commented on PR #10294: URL: https://github.com/apache/nifi/pull/10294#issuecomment-3284567738
Thanks for the feedback @exceptionfactory. As I noted in the PR description, what you're pointing out is a pure limitation of using Cognito but I wanted to provide an example that is easy to reproduce for a reviewer willing to try the change in AWS. I would not expect users to actually use Cognito in this context. - STS WebIdentity is not inherently end‑user only. AWS uses it for machine identities too (e.g., EKS IRSA). What STS requires is a valid OIDC JWT with an issuer it trusts and an aud that matches a registered client ID. - Cognito client‑credentials returns an access token without aud, and Cognito does not let you override standard claims for access tokens. It also does not issue ID tokens for client‑credentials. So Cognito + client‑credentials cannot satisfy STS trust policy checks wrt aud. I also tested this change with NiFi running on GCP: - NiFi runs on GCP - I created a dummy OAuth Token Provider to get a Google OIDC ID token using the metadata server of my GCE instance - Created a Google OIDC provider in AWS and specify an audience such as sts.amazonaws.com - Then create a role using WebIdentity referencing that identity provider and also specifying the audience (as well as the service account attached to my GCE instance) As you can see this is way more involved for a reviewer and I did have to build a custom NAR for the token provider implementation in GCP to get the token. For reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html The last link gives an example where STS AssumeRoleWithWebIdentity is used with a service account in the context of EKS with the below role: ````json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$account_id:oidc-provider/$oidc_provider" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$oidc_provider:aud": "sts.amazonaws.com", "$oidc_provider:sub": "system:serviceaccount:$namespace:$service_account" } } } ] } ```` Let me know what you think. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
