# OIDC Provider

## Amazon Web Services (AWS) OIDC Integration

### Overview

This guide will walk you through configuring OpenID Connect (OIDC) authentication between Firefly and AWS. OIDC allows Firefly to securely access your AWS resources without the need for long-lived static credentials.

## Configure Firefly as an Identity Provider

You need to set up Firefly as a valid identity provider for your AWS account. This is done by creating an OpenID Connect identity provider in AWS. Configuration is done via the AWS console:

### Step 1: Access AWS IAM

1. Go to the AWS console and select the IAM service.
2. Click **Identity providers** in the left-hand menu.
3. Click **Add provider** in the top bar.

### Step 2: Configure the Provider

1. Select **OpenID Connect** as the provider type.
2. Enter the following details:
   * **Provider URL:** `https://api.gofirefly.io/v2`
   * **Audience:** `sts.amazonaws.com`
3. Once created, the identity provider will be listed in the "Identity providers" table.

### Step 3: Add Firefly OIDC as the Role Provider

You can click on the provider name to see the details. From here, you will assign an IAM role to this new identity provider:

1. Click **Assign role**, and choose to create a new role.
2. Click **Web identity** and select the new Firefly OIDC provider as the trusted entity.

   ![AWS IAM Create Role - Web Identity Selection](https://292727710-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkD89Ravlokn4JL0Be27O%2Fuploads%2Fgit-blob-1694bf82d531ebe8129a6c06a9401ccf8599633e%2Foidc-aws-web-identity-selection.png?alt=media)
3. Select the audience from the dropdown (there should only be one option).

   ![AWS IAM Create Role - Web Identity Configuration](https://292727710-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkD89Ravlokn4JL0Be27O%2Fuploads%2FozNup28Zclz8LEKKeJE3%2F1.png?alt=media\&token=ee317515-112a-45e0-83dd-97401ba21efb)
4. Add a condition for `:sub` where the value is `account:FIREFLY_ACCOUNT_ID` (replace `FIREFLY_ACCOUNT_ID` with your actual Firefly account ID).

   ![AWS IAM Create Role - Web Identity Condition Configuration](https://292727710-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkD89Ravlokn4JL0Be27O%2Fuploads%2FLHKlihj0Rp8TXkyw0a2W%2F2.png?alt=media\&token=772f5e2c-cf2a-4f74-8953-46349a07b77c)
5. The rest of the process is the same as for any other role creation. Select the policies you want to attach to the role, and add tags and a description.

   ![AWS IAM Create Role - Add Permissions](https://292727710-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkD89Ravlokn4JL0Be27O%2Fuploads%2F6cOE8VyVUgux9N1M0zZf%2F3.png?alt=media\&token=a1943782-e9c8-4358-8341-619492212a1a)
6. Once you're done, click **Create role**.

**Example policy:**

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789:oidc-provider/api.gofirefly.io/v2"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "api.gofirefly.io/v2:sub": "account:123456789",
                    "api.gofirefly.io/v2:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
```

![AWS IAM Role Created - Permissions Summary](https://292727710-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkD89Ravlokn4JL0Be27O%2Fuploads%2FwhB8cEXAlreLKAZLZLE4%2F4.png?alt=media\&token=d9a9d887-a07a-48f3-9a03-2edde3d0c426)

## Required Terraform Configuration

To enable AWS authentication using OIDC / Web Identity, you must define the following variables in your Terraform configuration with no default values:

* `aws_role_arn` – ARN of the IAM role to assume
* `aws_web_identity_token_file` – Path to the OIDC token file used for authentication

### Variable Definitions

Add the following variable definitions to your Terraform code:

```hcl
variable "aws_role_arn" {
  description = "ARN of the IAM role to assume with web identity"
  type        = string
}

variable "aws_web_identity_token_file" {
  description = "Path to the AWS web identity token file"
  type        = string
}
```

### AWS Provider Configuration

Configure your AWS provider to use OIDC authentication:

```hcl
provider "aws" {
  assume_role_with_web_identity {
    role_arn                = var.aws_role_arn
    web_identity_token_file = var.aws_web_identity_token_file
  }
}
```

When Firefly executes your Terraform code, it will automatically provide the values for these variables, allowing secure authentication to AWS without the need for static credentials.

## Configuring OIDC in Firefly

Once you've set up the OIDC provider in AWS, you need to configure Firefly to use it. There are several ways to do this depending on your setup:

### Option 1: Configure OIDC in Projects

> **Note:** OIDC Authentication configured at the project level is an inherited attribute. This means all sub-projects and workspaces within the project will automatically be configured with this authentication method.

#### When Creating a New Project

1. Navigate to the project creation screen
2. Enable **OIDC Authentication**
3. Provide the ARN of the IAM role you created (e.g., `arn:aws:iam::123456789012:role/firefly-oidc-role`)

#### When Editing an Existing Project

1. Navigate to your project settings
2. Enable **OIDC Authentication**
3. Provide the ARN of the IAM role you created (e.g., `arn:aws:iam::123456789012:role/firefly-oidc-role`)

### Option 2: Configure OIDC in Workspaces

1. Navigate to your workspace
2. Go to the **Execution Configuration** section
3. Enable **OIDC Authentication**
4. Provide the ARN of the IAM role you created (e.g., `arn:aws:iam::123456789012:role/firefly-oidc-role`)