Identity Providers

Overview of Identity Providers and how to attack.

OpenID Connect (OIDC)

  • OIDC is a secure way to connect 3rd party services like GitLab to AWS but if the Trust Policy is left in a default or otherwise insecure state, it's possible to exploit this and gain access to resources.

aws iam get-role --role-name gitlab | jq -r '.Role.AssumeRolePolicyDocument'

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "": ""
  • With this set up, any GitLab account can authenticate to AWS provided the AWS Account ID and IAM Role name is known.

  • This can be resolved by including additional conditions in the IAM Trust Policy.

  • I wrote a more detailed blog post on this below

Last updated