Skip to main content

Using an external identity provider to authenticate on the Astran API

note

In this tutorial we will use a preconfigured identity provider keycloak given to our customer for testing purposes, no SLA, put in place by Astran for your convenience. If you require an IDP with SLAs, please contact Customer Team in charge of your success. You are free to use your own identity provider, as long as it's compatible with the Open Id Connect protocol it should work.

The url of this identity provider is https://idp.astran.io/auth/realms/PARTITION-demo. Replace PARTITION with the name of your partition.

Obtain the thumbprint for an OIDC provider

Follow these instruction to retrieve the thumbprint for your OIDC provider.

Create a new OIDC provider

To create a new OIDC provider, you're going to need a new client. On the preconfigured keycloak we already have created a astran client that can be used. If you're using your own identity provider, create a new OIDC client with Direct access grants. If you're using OAuth2, this is called Resource Owner Password Credentials Grant, which allows you to exchange username/password for an access token.

You can now use the following command to create a new OIDC provider:

# Replace with the thumbprint you retrieved in the previous section
THUMBPRINT="722bc0a96d3864832b311efb9c486ced1e714517"
# Replace with the client id that you have created if you use your own identity provider
CLIENT_ID="astran"
# Replace with the URL of your identity provider
URL="https://idp.astran.io/auth/realms/demo-demo"
aws --profile astran iam create-open-id-connect-provider --url $URL --thumbprint-list $THUMBPRINT --client-id-list $CLIENT_ID

You should get the following output:

{
  "OpenIDConnectProviderArn": "arn:demo:iam::ce04d61d-afac-504f-a96b-ebbbced80013:oidc-provider/idp.astran.io/auth/realms/demo-demo"
}

Save that ARN, you will need it when you create a new role in the next part of the tutorial.

Congratulations, you've just added a new identity provider to Astran ! In the next part we'll show you how you can create a new role that can be used to retrieve credentials with this new identity provider.