Using Firebase OpenID Connect provider as AWS IAM Identity Provider


I get the following error while setting up Firebase as an AWS IAM Identity Provider using OpenID Connect.

We encountered the following errors while processing your request:
Please check .well-known/openid-configuration of provider:<Project ID> is valid.

The AWS IAM Identity Provider setup requires two input parameters, to which I plugged in the following:
Provider URL:<Firebase Project ID>
Audience: <Firebase Client ID>

To troubleshoot the error, I opened http://<Provider URL>/.well-known/openid-configuration in a browser and noted the JSON response has the Issuer and jwks_uri fields. I believe these JSON fields indicate the Firebase OpenID Connect Provider URL is valid.

Any idea how I could avoid the above error and successfully set up the AWS IAM Identity Provider?


I contacted AWS support and they helped resolve the problem. Thanks to Shaun H @ AWS!

The solution to the problem is to use AWS CLI instead of AWS console to set up an OIDC provider.

I’m pasting relevant parts of Shaun’s response below:
1.) Manually obtain and verify the thumbprint using the procedure described here[1].
“ThumbprintList” = “6040DB92306CC8BCEB31CACAC88D107430B16AFF”

2.) Create the OIDC identity provider using the AWS Cli [2].
For example: $ aws iam create-open-id-connect-provider –cli-input-json file://oidc.json Note – the format would be:
aud Audience Must be your Firebase project ID, the unique identifier for your Firebase project, which can be found in the URL of that project’s console.
iss Issuer Must be<projectId>, where is the same project ID used for aud above.

Content for file://oidc.json: (replace with your Project ID)



Leave a Reply