OIDC Provider

Amazon Web Services (AWS) OIDC Integration

Overview

This guide will walk you through configuring OpenID Connect (OIDC) authentication between Firefly and AWS. OIDC allows Firefly to securely access your AWS resources without the need for long-lived static credentials.

Configure Firefly as an Identity Provider

You need to set up Firefly as a valid identity provider for your AWS account. This is done by creating an OpenID Connect identity provider in AWS. Configuration is done via the AWS console:

Step 1: Access AWS IAM

1. Go to the AWS console and select the IAM service.

2. Click Identity providers in the left-hand menu.

3. Click Add provider in the top bar.

Step 2: Configure the Provider

1. Select OpenID Connect as the provider type.

2. Enter the following details:

   • Provider URL: https://api.gofirefly.io/v2

   • Audience: sts.amazonaws.com

3. Once created, the identity provider will be listed in the "Identity providers" table.

Step 3: Add Firefly OIDC as the Role Provider

You can click on the provider name to see the details. From here, you will assign an IAM role to this new identity provider:

1. Click Assign role, and choose to create a new role.

2. Click Web identity and select the new Firefly OIDC provider as the trusted entity.

   
3. Select the audience from the dropdown (there should only be one option).

   
4. Add a condition for :sub where the value is account:FIREFLY_ACCOUNT_ID (replace FIREFLY_ACCOUNT_ID with your actual Firefly account ID).

   
5. The rest of the process is the same as for any other role creation. Select the policies you want to attach to the role, and add tags and a description.

   
6. Once you're done, click Create role.

Example policy:

Required Terraform Configuration

To enable AWS authentication using OIDC / Web Identity, you must define the following variables in your Terraform configuration with no default values:

• aws_role_arn – ARN of the IAM role to assume

• aws_web_identity_token_file – Path to the OIDC token file used for authentication

Variable Definitions

Add the following variable definitions to your Terraform code:

AWS Provider Configuration

Configure your AWS provider to use OIDC authentication:

When Firefly executes your Terraform code, it will automatically provide the values for these variables, allowing secure authentication to AWS without the need for static credentials.

Configuring OIDC in Firefly

Once you've set up the OIDC provider in AWS, you need to configure Firefly to use it. There are several ways to do this depending on your setup:

Option 1: Configure OIDC in Projects

Note: OIDC Authentication configured at the project level is an inherited attribute. This means all sub-projects and workspaces within the project will automatically be configured with this authentication method.

When Creating a New Project

1. Navigate to the project creation screen

2. Enable OIDC Authentication

3. Provide the ARN of the IAM role you created (e.g., arn:aws:iam::123456789012:role/firefly-oidc-role)

When Editing an Existing Project

1. Navigate to your project settings

2. Enable OIDC Authentication

3. Provide the ARN of the IAM role you created (e.g., arn:aws:iam::123456789012:role/firefly-oidc-role)

Option 2: Configure OIDC in Workspaces

1. Navigate to your workspace

2. Go to the Execution Configuration section

3. Enable OIDC Authentication

4. Provide the ARN of the IAM role you created (e.g., arn:aws:iam::123456789012:role/firefly-oidc-role)