How to get temporal credentials after auth with AWS ALB/Cognito/OIDC IdProvider?


I have setup ALB built-in authentication with an OIDC identity provider (SalesForce) connected via Cognito User pool, more or less following this guide.

With this setup my web application (Java/Spring Boot-based) receives the headers x-amzn-oidc-accesstoken, x-amzn-oidc-identity and x-amzn-oidc-data forwarded by the ALB.
I can parse and validate JWT tokens contained in these headers and, for instance, get users’s e-mail from there.

Now my goal is to give this authenticated user access to certain AWS resources or services via AWS JavaScript SDK, directly from the client side. For instance, I’d like the user to be able to list objects on an S3 bucket or call certain lambda functions.

My understanding is that I somehow need to generate temporal credentials for this authenticated user. But I could not find specific documentation on how to do this. The closest hits were:

But I could not connect the dots there. My expectation is that I probably should use the x-amzn-oidc-accesstoken, x-amzn-oidc-identity and x-amzn-oidc-data headers somehow, but I failed to find any code that would do it.

So my question is: how do I generate temporal credentials for the user which was authenticated with built-in ALB authentication via Cognito with OIDC Identity Provider?


There are multiple steps that you need to take to achieve this.

First is to create an appropriate IAM role that you will let your users to assume. If you want to provide S3 access for your users then you need to tailor the IAM role in such way and set the trust relationship between that Role and WebIdentity (if you go to console -> IAM -> Roles -> Create Role, you will see this option on top of the screen – Select type of trusted entity and configure provider based on your actual OIDC provider).

Once you have that role, you will need to exchange the WebIdentity token that you currently posses for STS token. In your case, you will need to call sts.assume_role_with_web_identity function (which is part of SDK) where you will need to specify

  • RoleArn – arn of the above created role, which will be assumed by your users
  • RoleSessionName – name for the session user (can be arbitrary string)
  • WebIdentityToken – OIDC compliant token (the one that you currently have)
  • Duration – how long the returned credentials will be valid

After you make the call, you will receive response containing:

The important parts are AccessKeyId, SecretAccessKey and SessionToken. These
temporary credentials can be used to directly call S3, Lambda or any other AWS service from your code but you will need to configure your the SDK that you are currently using to include them. Once all that is done, you should be good to go without any issues.

Leave a Reply