Skip to content

feat(federation): federate_aws — assertion + AssumeRoleWithWebIdentity + STS XML #140

Description

@alukach

Part of the Federated backend authentication epic (proxy-side).

What

Implement federate_aws: mint a short-lived OIDC assertion and exchange it for temporary AWS credentials via AssumeRoleWithWebIdentity.

Steps

  1. Sign an RS256 assertion with the existing JwtSigner (config.oidc.signer): iss = OIDC issuer, aud = connection audience, sub = rendered subject, short TTL (~5 min), jti.
  2. reqwest POST to sts.<region>.amazonaws.com:
    Action=AssumeRoleWithWebIdentity&RoleArn=<arn>&WebIdentityToken=<jwt>&DurationSeconds=<n> (optionally &Policy=<session policy>). No SigV4 — the web-identity token is the auth.
  3. Parse the XML <Credentials> block (reuse the STS-XML parsing pattern from source.coop).
async fn federate_aws(signer, subject, audience, role_arn, duration, session_policy: Option<String>)
    -> Result<TempCreds, ProxyError>

Notes

  • multistore-sts is the proxy's own STS (Layer 1) — this is a separate AWS client.
  • The RSA OIDC key already produces RS256, which AWS web identity accepts.

Acceptance

  • Returns {access_key_id, secret_access_key, session_token, expiration}
  • STS error XML mapped to a ProxyError (no secret leakage in logs/messages)
  • Unit test against a mocked STS response (valid + error)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions