|
| 1 | +Connect to S3 authenticating with Microsoft Entra ID |
| 2 | +==== |
| 3 | + |
| 4 | +> Use Microsoft Entra ID to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM. |
| 5 | +
|
| 6 | + |
| 7 | +:::{tip} |
| 8 | +Refer to [Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIdentity STS API](../protocols/profiles/aws_oidc.md) for custom configuration of connection profiles using OIDC web identity federation to connect to AWS S3. |
| 9 | +::: |
| 10 | + |
| 11 | +## Configuration in Microsoft Entra ID |
| 12 | + |
| 13 | +Create an application in the [Microsoft Entra ID portal](https://portal.microsoftonline.com/applications) and configure it as an OIDC Identity Provider. |
| 14 | + |
| 15 | +1. Navigate to _Identity → Applications → App registrations_ in the [Microsoft Entra ID portal](https://portal.microsoftonline.com/applications) and choose _New registration_. |
| 16 | +2. In _Authentication_, add a redirect URI with the value `x-cyberduck-action://oauth` to allow authentication with Cyberduck. |
| 17 | +3. In _Authentication_, add a redirect URI with the value `x-mountainduck-action://oauth` to allow authentication with Mountain Duck. |
| 18 | +4. Copy the OAuth Client ID from _Overview → Essentials → Application (client) ID_. |
| 19 | + |
| 20 | + |
| 21 | +## Configuration in AWS IAM |
| 22 | + |
| 23 | +### Create an OIDC identity provider |
| 24 | +1. In AWS [IAM console](https://console.aws.amazon.com/iam/) add a new identity provider in _Identity providers_. |
| 25 | +2. Configure the provider as type _OpenID Connect_ with the provider URL set to `https://login.microsoftonline.com/<TENANT-ID>/v2.0`. Replace <TENANT-ID> with your Microsoft Entra ID tenant ID. Copy the ARN for the next [step](#create-a-role). |
| 26 | + |
| 27 | +### Create a role |
| 28 | + |
| 29 | +Assign a role to the identity provider created in the previous step with permissions to access S3. |
| 30 | + |
| 31 | +1. In AWS [IAM console](https://console.aws.amazon.com/iam/) add a new role. |
| 32 | +2. Choose _Amazon S3_ as the service to use. |
| 33 | +3. Choose _Assign role_ followed by _Create a new role_ with a _Web identity_ trusted entity type. It should have _Identity provider_ and _Audience_ options prefilled with the ARN of the identity provider and Client ID from Microsoft Entra. |
| 34 | +4. The resulting trust policy will look similar to the following: |
| 35 | + |
| 36 | + ```json |
| 37 | + { |
| 38 | + "Version": "2012-10-17", |
| 39 | + "Statement": [ |
| 40 | + { |
| 41 | + "Effect": "Allow", |
| 42 | + "Principal": { |
| 43 | + "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/login.microsoftonline.com/<TENANT-ID>/v2.0" |
| 44 | + }, |
| 45 | + "Action": "sts:AssumeRoleWithWebIdentity", |
| 46 | + "Condition": { |
| 47 | + "StringEquals": { |
| 48 | + "login.microsoftonline.com/<TENANT-ID>/v2.0:aud": "<Application (client) ID>" |
| 49 | + } |
| 50 | + } |
| 51 | + } |
| 52 | + ] |
| 53 | + } |
| 54 | + ``` |
| 55 | + |
| 56 | + :::{tip} |
| 57 | + The `<ACCOUNT_ID>` is replaced with your AWS account ID and `<Application (client) ID>` with the OAuth Client ID of the application you created in the previous [step](#configuration-in-microsoft-entra-id). For `Federated`, the ARN of the identity provider you created in the previous step is set. For the condition `aud` use the application client ID of the application you created in the previous step. |
| 58 | + ::: |
| 59 | + |
| 60 | +5. In the next step attach a permission policy to the role such as the managed policy `AmazonS3FullAccess`. |
| 61 | +6. Copy the Role ARN from the _Summary_ tab. |
| 62 | + |
| 63 | + |
| 64 | +### Create a bookmark in Cyberduck or Mountain Duck |
| 65 | + |
| 66 | +1. Add a new [Bookmark](../cyberduck/bookmarks.md) in Cyberduck or Mountain Duck. |
| 67 | +2. Choose *AWS S3+STS & Microsoft Entra ID* profile in the protocol dropdown. If the [connection profile](../protocols/profiles/index.md) is not available, enable it by choosing _More Options…_. |
| 68 | +3. Enter the Application (client) ID from the application registration in Microsoft Entra for _OAuth Client ID_ when prompted. It will be saved in the bookmark as a [custom property](hidden_properties.md#in-duck-bookmark-files). |
| 69 | + |
| 70 | + :::{image} _images/S3_Client_Id_Prompt.png |
| 71 | + :alt: OAuth Client ID Prompt |
| 72 | + :width: 400px |
| 73 | + ::: |
| 74 | + |
| 75 | + :::{tip} |
| 76 | + The _OAuth Client ID_ is the same as the _Application (client) ID_ from the application registration in Microsoft Entra. |
| 77 | + ::: |
| 78 | + |
| 79 | + :::{note} |
| 80 | + Alternatively set `OAuth Client ID` in a [custom connection profile](../protocols/profiles/aws_oidc.md). |
| 81 | + ::: |
| 82 | + |
| 83 | +1. Enter the Role ARN from the previous step when prompted. It will be saved in the bookmark as a [custom property](hidden_properties.md#in-duck-bookmark-files). |
| 84 | + |
| 85 | + :::{image} _images/S3_Role_ARN_Prompt.png |
| 86 | + :alt: MFA Prompt |
| 87 | + :width: 400px |
| 88 | + ::: |
| 89 | + |
| 90 | + :::{note} |
| 91 | + Alternatively set `role_arn` as a custom property in a [custom connection profile](../protocols/profiles/aws_oidc.md). |
| 92 | + ::: |
| 93 | + |
| 94 | +## Possible Errors |
| 95 | + |
| 96 | +### `Not authorized to perform sts:AssumeRoleWithWebIdentity` |
| 97 | +Validate the _Trusted entities_ in _Trust relationships_ in the IAM console. |
| 98 | + |
| 99 | +### `Request ARN is invalid` |
| 100 | +The role ARN entered is not valid. |
| 101 | + |
| 102 | +### `The security token included in the request is invalid` |
| 103 | +Invalid client token ID. Check the OAuth Client ID in the connection profile. |
| 104 | + |
| 105 | +## References |
| 106 | +- [OIDC federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html) |
0 commit comments