STS AssumeRoleWithWebIdentityOIDC trustNo long-lived keys~5 min setup
Connect your AWS account to AuthFI so users can get temporary credentials and console access based on their AuthFI roles.
Prerequisites
- An AWS account with IAM admin access
- AuthFI tenant on Scale or Enterprise plan
1 · Create an OIDC identity provider in AWS
aws iam create-open-id-connect-provider
--url https://your-tenant.authfi.app
--client-id-list authfi-cloud-access
--thumbprint-list <your-authfi-thumbprint>2 · Create an IAM role with trust policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/your-tenant.authfi.app"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"your-tenant.authfi.app:aud": "aws",
"your-tenant.authfi.app:azp": "authfi-cloud-access"
}
}
}]
}3 · Add cloud account in AuthFI
curl -X POST https://api.authfi.app/manage/v1/your-tenant/cloud/accounts
-H "X-API-Key: sk_..."
-d '{
"provider": "aws",
"name": "AWS Production",
"account_ref": "123456789012",
"config": {
"oidc_provider_arn": "arn:aws:iam::123456789012:oidc-provider/your-tenant.authfi.app"
}
}'4 · Create role mapping
curl -X POST https://api.authfi.app/manage/v1/your-tenant/cloud/mappings
-H "X-API-Key: sk_..."
-d '{
"cloud_account_id": "<account-uuid>",
"authfi_role_id": "<cloud-admin-role-uuid>",
"cloud_role": "arn:aws:iam::123456789012:role/AdminAccess",
"max_session_seconds": 3600,
"conditions": { "require_mfa": true }
}'5 · Users get access
// SDK — get AWS credentials for the logged-in user
const creds = await authfi.cloudCredentials(req.user.token, {
provider: 'aws',
account: 'production'
});
// Use with AWS SDK
const s3 = new S3Client({ credentials: creds });Or from the AuthFI console, users click “Open Console” to land directly in the AWS Management Console.