|
|
|
|
|
|
by 0xbadcafebee
1637 days ago
|
|
|
Maybe not OIDC, but most support SAML, which is good enough. There's also SAML/OAuth2/OIDC proxies you can use along with role-specific service accounts, so even legacy app access can be audited and controlled with temporary sessions. One OAuth2 reverse proxy can authenticate entire subdomains worth of web apps. (https://oauth2-proxy.github.io/oauth2-proxy/) If some proprietary app says they only support static IAM keys, they can easily enable the AWS SDK to transparently handle AWS STS temporary credentials. You just authenticate with some other app (say, saml2aws) and the tokens are cached locally, and the AWS SDK takes care of the rest. (You can also configure the AWS SDK's credential_process feature to make that seamless) Cross-account AWS access can be granted to specific roles to be assumed with specific IAM policies. No keys or users at all. |
|
|