OIDC provider types Shared OIDC identity providers with identity-provider controls Additional resources

Identity-provider controls for shared OIDC providers

For recognized shared OpenID Connect (OIDC) identity providers (IdPs), IAM requires explicit evaluation of specific claims in role trust policies. These required claims, called identity-provider controls, are evaluated by IAM during role creation and trust policy updates. If the role trust policy does not evaluate the controls required by the shared OIDC IdP, the role creation or update would fail. This ensures that only authorized identities from the intended organization can assume roles and access Amazon resources. This security control is crucial when OIDC providers are shared across multiple Amazon customers.

Identity-provider controls will not be evaluated by IAM for existing OIDC role trust policies. For any modifications to the role trust policy for existing OIDC roles, IAM will require that identity-provider controls be included in the role trust policy.

OIDC provider types

IAM categorizes OIDC identity providers into two distinct types: private and shared. A private OIDC IdP can be owned and managed by a single organization or can be a tenant of a SaaS provider, with its OIDC Issuer URL serving as a unique identifier specific to that organization. In contrast, a shared OIDC IdP is utilized across multiple organizations, where the OIDC Issuer URL might be identical for all organizations using that shared identity provider.

The table below outlines the key differences between private and shared OIDC providers:

Characteristic	Private OIDC Provider	Shared OIDC Provider
Issuer	Unique to the organization	Shared across multiple organizations
Tenancy Information	Communicated through unique Issuer	Communicated through claims in JWT
Trust Policy Requirements	No specific claim evaluation required	Evaluation of specific claims required

Shared OIDC identity providers with identity-provider controls

When you create or modify an OIDC provider in IAM, the system automatically identifies and evaluates required claims for recognized shared OIDC providers. If identity-provider controls are not configured in the role trust policy, the role creation or update will fail with a MalformedPolicyDocument error.

The following table lists the shared OIDC providers that require identity-provider controls in role trust policies:

OIDC IdP	OIDC URL	Tenancy Claim	Required Claims
Buildkite	`https://agent.buildkite.com`	sub	`agent.buildkite.com:sub`
Codefresh SaaS	`https://oidc.codefresh.io`	sub	`oidc.codefresh.io:sub`
DVC Studio	`https://studio.datachain.ai/api`	sub	`studio.datachain.ai/api:sub`
GitHub actions	`https://token.actions.githubusercontent.com`	sub	`token.actions.githubusercontent.com:sub`
GitHub audit log streaming	`https://oidc-configuration.audit-log.githubusercontent.com`	sub	`oidc-configuration.audit-log.githubusercontent.com:sub`
GitHub vstoken	`https://vstoken.actions.githubusercontent.com`	sub	`vstoken.actions.githubusercontent.com:sub`
GitLab	`https://gitlab.com`	sub	`gitlab.com:sub`
IBM Turbonomic SaaS*	`https://rh-oidc.s3.us-east-1.amazonaws.com/22ejnvnnturfmt6km08idd0nt4hekbn7` `https://rh-oidc.s3.us-east-1.amazonaws.com/23e3sd27sju1hoou6ohfs68vbno607tr` `https://rh-oidc.s3.us-east-1.amazonaws.com/23ne21h005qjl3n33d8dui5dlrmv2tmg` `https://rh-oidc.s3.us-east-1.amazonaws.com/24jrf12m5dj7ljlfb4ta2frhrcoadm26` `https://oidc.op1.openshiftapps.com/2f785sojlpb85i7402pk3qogugim5nfb` `https://oidc.op1.openshiftapps.com/2c51blsaqa9gkjt0o9rt11mle8mmropu`	sub	`rh-oidc.s3.us-east-1.amazonaws.com/22ejnvnnturfmt6km08idd0nt4hekbn7:sub` `rh-oidc.s3.us-east-1.amazonaws.com/23e3sd27sju1hoou6ohfs68vbno607tr:sub` `rh-oidc.s3.us-east-1.amazonaws.com/23ne21h005qjl3n33d8dui5dlrmv2tmg:sub` `rh-oidc.s3.us-east-1.amazonaws.com/24jrf12m5dj7ljlfb4ta2frhrcoadm26:sub` `oidc.op1.openshiftapps.com/2f785sojlpb85i7402pk3qogugim5nfb:sub` `oidc.op1.openshiftapps.com/2c51blsaqa9gkjt0o9rt11mle8mmropu:sub`
sandboxes.cloud	`https://sandboxes.cloud`	aud	`sandboxes.cloud:aud`
Scalr	`https://scalr.io`	sub	`scalr.io:sub`
Shisho Cloud	`https://tokens.cloud.shisho.dev`	sub	`tokens.cloud.shisho.dev:sub`
Terraform Cloud	`https://app.terraform.io`	sub	`app.terraform.io:sub`
Upbound	`https://proidc.upbound.io`	sub	`proidc.upbound.io:sub`

* IBM Turbonomic periodically updates their OIDC Issuer URL with new versions of the platform. We will add additional Turbonomic OIDC issuers in scope as a shared provider as needed.

For any new OIDC IdPs that IAM identifies as shared, the required identity-provider controls for role trust policies will be documented and enforced in a similar manner.

Additional resources

Additional resources:

For more information about creating an IAM role for OIDC federation, see Create a role for OpenID Connect federation (console).
For a list of IAM condition keys that can be used for claims, see Available keys for Amazon OIDC federation.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Obtain the thumbprint for an OIDC provider

SAML 2.0 federation