Integrate with Amazon Web Services
Support level: authentik
What is AWS
Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster.
-- https://www.aboutamazon.com/what-we-do/amazon-web-services
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.123412341234is your AWS account ID.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
- Classic IAM
- IAM Identity Center
- SCIM Provisioning (Optional)
Prerequisites
- An AWS account with permissions to create IAM roles and identity providers
- An authentik instance with admin access
authentik configuration
To support the integration of AWS with authentik using the classic IAM method, you need to create an application/provider pair and property mappings in authentik.
Create property mappings
-
Log in to authentik as an admin, and open the authentik Admin interface.
-
Navigate to Customization > Property Mappings and click Create. Create two SAML Provider Property Mappings with the following settings:
-
Role Mapping:
- Name: Choose a descriptive name
- SAML Attribute Name: https://aws.amazon.com/SAML/Attributes/Role
- Friendly Name: Leave blank
- Expression: Choose one of these options:
For a static role:
return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik"For role assignment based on group membership:
role_name = user.group_attributes().get("aws_role", "")
return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik"For multiple role choices:
return [
"arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik",
] -
Session Name Mapping:
- Name: Choose a descriptive name
- SAML Attribute Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName
- Friendly Name: Leave blank
- Expression: return user.username
-
Create an application and provider in authentik
- Log in to authentik as an admin, and open the authentik Admin interface.
- Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- Application: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The slug will be used in URLs and should match the
aws-slugplaceholder defined earlier. - Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), and configure the following required settings:
- Set the ACS URL to https://signin.aws.amazon.com/saml
- Set the Audience to urn:amazon:webservices
- Under Advanced protocol settings, add both property mappings you created in the previous section
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
- Click Submit to save the new application and provider.
- Download the Metadata file from the provider's page.
AWS configuration
- Log in to the AWS Management Console as an administrator
- Create an IAM role with the desired permissions and note the ARN
- Navigate to IAM Identity Providers
- Click Create Provider and configure:
- Select SAML as the provider type
- Upload the metadata file from authentik
- Add the property mappings to the SAML Provider
- Create an application and assign the appropriate policies
- Connect the provider to your application
Prerequisites
- An AWS account with IAM Identity Center enabled
- An authentik instance with admin access
- A certificate for signing SAML assertions (you can use authentik's default or provide your own)
authentik configuration
To support the integration of AWS with authentik using IAM Identity Center, you need to create an application/provider pair in authentik.
Create an application and provider in authentik
- Log in to authentik as an admin, and open the authentik Admin interface.
- Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- Application: provide a descriptive name (e.g. "AWS Identity Center"), an optional group for the type of application, the policy engine mode, and optional UI settings. The slug will be used in URLs and should match the
aws-slugplaceholder defined earlier. - Choose a Provider type: select SAML Provider from metadata as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from AWS (obtained in AWS Configuration steps)
- Copy the Issuer URL to the Audience field
- Under Advanced Protocol Settings, set your Signing Certificate
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.
- Click Submit to save the new application and provider.
- Under Related Objects, download both:
- The Metadata file
- The Signing Certificate
AWS configuration
- Navigate to IAM Identity Center -> Settings -> Identity Source
- Click Actions -> Change identity source
- Select External Identity Provider
- Download the Service Provider metadata file
- Upload authentik's metadata file and signing certificate
- Under Actions -> Manage Authentication, note the AWS access portal sign-in URL
- Update your authentik application's Start URL to match the AWS portal URL.
Prerequisites
- Completed either Classic IAM or IAM Identity Center setup
- AWS Identity Center enabled with admin access
- authentik instance with admin access
authentik configuration
To support the integration of AWS with authentik using SCIM, you need to create a SCIM provider and custom mapping in authentik.
Create property mappings
- Log in to authentik as an admin, and open the authentik Admin interface.
- Navigate to Customization > Property Mappings and click Create. Create a SCIM Mapping with the following settings:
- Name: Choose a name lexically lower than
authentik default(e.g.AWS SCIM User mapping) - Expression:
# This expression strips the default mapping from its 'photos' attribute,
# which is a forbidden property in AWS IAM.
return {
"photos": None,
} - Name: Choose a name lexically lower than
Create a SCIM provider in authentik
- Log in to authentik as an admin, and open the authentik Admin interface.
- Navigate to Providers > Providers and click Create.
- Select SCIM Provider as the provider type.
- Configure the provider with the following settings:
- Set a descriptive name
- Set URL to the AWS SCIM Endpoint
- Set Token to the AWS Access Token
- Configure user filtering as needed
- Under User Property Mappings, add:
- The default mapping
- Your custom mapping
- Add the SCIM provider to your AWS application's Backchannel providers
AWS configuration
- In AWS Identity Center Settings, locate the Automatic Provisioning information box
- Click Enable
- Note the provided SCIM Endpoint and Access Token
The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the provider page.