Part of the Federated backend authentication epic (proxy-side).
What
Implement federate_aws: mint a short-lived OIDC assertion and exchange it for temporary AWS credentials via AssumeRoleWithWebIdentity.
Steps
- Sign an RS256 assertion with the existing
JwtSigner (config.oidc.signer): iss = OIDC issuer, aud = connection audience, sub = rendered subject, short TTL (~5 min), jti.
reqwest POST to sts.<region>.amazonaws.com:
Action=AssumeRoleWithWebIdentity&RoleArn=<arn>&WebIdentityToken=<jwt>&DurationSeconds=<n> (optionally &Policy=<session policy>). No SigV4 — the web-identity token is the auth.
- Parse the XML
<Credentials> block (reuse the STS-XML parsing pattern from source.coop).
async fn federate_aws(signer, subject, audience, role_arn, duration, session_policy: Option<String>)
-> Result<TempCreds, ProxyError>
Notes
multistore-sts is the proxy's own STS (Layer 1) — this is a separate AWS client.
- The RSA OIDC key already produces RS256, which AWS web identity accepts.
Acceptance
Part of the Federated backend authentication epic (proxy-side).
What
Implement
federate_aws: mint a short-lived OIDC assertion and exchange it for temporary AWS credentials viaAssumeRoleWithWebIdentity.Steps
JwtSigner(config.oidc.signer):iss= OIDC issuer,aud= connection audience,sub= rendered subject, short TTL (~5 min),jti.reqwestPOST tosts.<region>.amazonaws.com:Action=AssumeRoleWithWebIdentity&RoleArn=<arn>&WebIdentityToken=<jwt>&DurationSeconds=<n>(optionally&Policy=<session policy>). No SigV4 — the web-identity token is the auth.<Credentials>block (reuse the STS-XML parsing pattern fromsource.coop).Notes
multistore-stsis the proxy's own STS (Layer 1) — this is a separate AWS client.Acceptance
{access_key_id, secret_access_key, session_token, expiration}ProxyError(no secret leakage in logs/messages)