Skip to main content

OIDC Provider

Setting up the OIDC provider will allow Hyper Cloud Automation to authenticate to your AWS Account without use of AWS Access Keys. OIDC Provider will allow Hyper Cloud Automation to authenticate using JWT Tokens.

Setup OIDC Provider and Role

  1. Log in to your AWS Account
  2. Go to IAM
  3. In the left navigation menu click on Identity Providers
  4. On the right click Add provider button Add Provider Button
  5. Set the following:
    1. Provider type: OpenID Connect
    2. Provider URL: https://securetoken.google.com/mkv-xoogify-web-app-4b0e
    3. Audience: mkv-xoogify-web-app-4b0e
    4. Click on Add Provider Provider Settings
  6. You should see securetoken.google.com/mkv-xoogify-web-app-4b0e in the list of providers.
  7. Click on securetoken.google.com/mkv-xoogify-web-app-4b0e and note down the ARN. Provider ARN
  8. In the left navigation menu click on Roles
  9. In the right corner click on Create Role button
  10. Select Custom Trust Policy and set the policy to be like this: 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::<YOUR AWS ACCOUNT ID>:oidc-provider/securetoken.google.com/mkv-xoogify-web-app-4b0e"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "securetoken.google.com/mkv-xoogify-web-app-4b0e:aud": "mkv-xoogify-web-app-4b0e",
              "securetoken.google.com/mkv-xoogify-web-app-4b0e:sub": "<Hyper Cloud Automation UID>"
            }
          }
        }
      ]
    }
    where:
    1. <YOUR AWS ACCOUNT ID> is the ID of the AWS Account where your are creatint this role (same account where OIDC Provider is created)
    2. <Hyper Cloud Automation UID> is your user UID in Hyper Cloud Automation. You can find this value in Profile page.
      info

      You can specify an array of UIDs as well. For example "securetoken.google.com/mkv-xoogify-web-app-4b0e:sub": ["uid1", "uid2", "uid3"]

      warning

      It is very important to set UID value in the above policy. Do not leave it blank

      Trust Policy
  11. Press Next
  12. Add Administrator Access permission. Admin Acess
    info

    Using Administrator Access is a broad policy best suted to deploy any kind of resource in your AWS account. If this is too broad you can set the permissions to other less broad roles.

  13. Press Next button
  14. For role name enter xoogify-admin.
  15. For description enter Hyper Cloud Automation Federated Role" Role Name
  16. Press Create button
  17. Note down the ARN of the created role. You will need it in the next section Role ARN

Use OIDC Role in Hyper Cloud Automation

This is an example of how you can use the above created role

  1. Go to undefined
  2. Click on the Environments in the left navigation menu
  3. Click on Add Enironment button and give it a name
  4. Add AWS Account to the environment tree Environment Tree
  5. Click on Config button of the AWS Account (it looks like three dots)
  6. Set the following:
    1. Name: Your AWS account name (can be anything but it's good to match the actual account name).
    2. AWS Account ID: Must be valid account ID. In this tutorial it should match the account ID where the OIDC role is created in the Setup OIDC Provider and Role section.
    3. Assume Role ARN: The arn of the role created in the last step of the Setup OIDC Provider and Role section. AWS Account
  7. Press Save Button
  8. Add AWS Region to the AWS Account and set it to whatever region you want (For example: us-west-2)
  9. Add AWS S3 Bucket to the AWS Region
  10. Open Module Config and set the name of the bucket.
  11. Scroll down and press Save
  12. You should have something like this: Full Tree
  13. You can start deploying the module. See Modules for more details.