Call AWS APIs and Resources Securely with Tokens

This feature uses delegation. By default, delegation is disabled for tenants without an add-on in use as of 8 June 2017. Legacy tenants who currently use an add-on that requires delegation may continue to use this feature. If delegation functionality is changed or removed from service at some point, customers who currently use it will be notified beforehand and given ample time to migrate.

Auth0 integrates with the AWS Security Token Service (STS) to obtain an limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). These credentials can then be used to call the AWS API of any Auth0-supported identity provider.

How to configure your Theme

Sample Configuration

  1. The web app authenticates its users via Social providers, such as Facebook, LinkedIn, or Twitter, or corporate credentials, such as Active Directory, Azure Active Directory, or Salesforce.
  2. The app calls Auth0's delegation endpoint to request a token for use with AWS.
  3. Auth0 obtains the token from AWS on behalf of the app.
  4. The app uses the newly-obtained token to connect with any AWS API.

Primary Button

Set Up Delegation

For detailed instructions on configuring delegation, see How to Set Up AWS for Delegated Authentication.

Log in to Auth0's Management Dashboard, navigate to the Applications area, and find the application associated with your app. Click on Settings and click over to the Addons tab. Enable the Amazon Web Services addon.

Username Length with AWS

Users of Auth0's database or a custom database should note that AWS usernames must be between 2-64 characters in length. If you're using an Auth0 database, you can enforce this by setting your username length settings accordingly. If you're using a custom database, you can implement a similar policy within your application.

Secondary Button

IAM policy

The following is a sample AWS IAM policy:

The IAM policy is a dynamic policy that gives access to a folder in a bucket. The folder name is set based on an attribute of the digitally-signed LockSAML token that Auth0 exchanges with AWS on your behalf.

The ${saml:sub} will be automatically mapped from the authenticated user (sub means subject and is equal to the user identifier), which allows the original identity of the user to be used throughout your app and AWS.


Get the AWS Token for an Authenticated User

When a user successfully authenticates, Auth0 returns an ID Token, which is a JWT). This ID Token is then used to request an Auth0 and AWS token using the delegation endpoint.

Here is a sample request on the delegation endpoint:

Parameters Description
client_id The ID of your Auth0 application
grant_type Set as urn:ietf:params:oauth:grant-type:jwt-bearer
id_token The existing ID Token for the user requesting access
target The target application's ID
api_type The API the user wants to call (this must be aws)

AWS also requires the role and principal ARN values. You can set these values using rules. The following is a sample rule that you can use. Copy the provider (for use as the principle ARN) and role ARN values, and paste them into the sample where it currently says [omitted]:

Optionally, you can set to target a specific AWS region. For example, region: 'cn-north-1' will direct requests to the Chinese north region. Temporary credentials from AWS GovCloud (US) and China (Beijing) can be used only in the region from which they originated.

The variable allows you to specify parameters that are sent to AWS to assume a Role. By default, Auth0 will use these mappings:

Other mappings are available in AWS, so if you wanted to use the eduPersonAffiliation AWS Context Key, you can set this mapping in a rule as follows:

The example above assumes the user object contains an awsGroup property with the expected value.

The result of calling the delegation endpoint will contain the AWS token in the Credentials field:

Auth0 Libraries

The Auth0 application libraries simplify the process of calling these endpoints. See an example for client-side JavaScript at Delegation Token Request. Please note that this example is for version 7 of the auth0js library; delegation is not supported in version 8 of auth0js.

Additionally, AWS requires two additional parameters: role and principal. To modify the role and principal strings, specify the appropriate ARN values where the sample currently says [omitted] via Rules. If you do not have these values, please see Copy the ARN Values section of the AWS setup doc.

Here is an example of client-side code used to obtain the token: