Using Salsa via OIDC to authenticate to AWS
Next step in our quest to have usable AWS accounts is user handling.
I looked into the available options. Those are local account or
federation via SAML or OpenID Connect. Federation needs both an
external user source and some glue, due to the internal handling in AWS.
Local users work, but require either some sync tool or manual user
setup, and most likely manual password handling.
SAML federation is weird and I found no IdP implementation that allows
proper specification of the required user attributes.
I would like to use OpenID Connect federation against salsa.debian.org
for now. This needs some glue in form of a small web application I
The login is reachable via
This setup trusts the following services:
- salsa.debian.org for proper authentication and providing group
- awsauth.debian.net for translating group information into AWS roles.
It can't change user information, as the used ID token is signed by
A Vulcan can no sooner be disloyal than he can exist without breathing.
-- Kirk, "The Menagerie", stardate 3012.4