Native Keyless Authentication from AWS to Azure with Web-Identity

TLDR: AWS STS Web-Identity-Token function allows secure, low maintenance authentication via OIDC for all none AWS Services at no additional cost. Perfect for Azure, OnPrem system or CI.

Late 2025 I wrote about Reduce your Token-Usage for all non AWS-Apps which looked at the new AWS capability to authenticate from AWS to OnPrem resources. But what about MultiCloud? Your DNS-Zone that is hosted on Azure or the “offside” backups.
No more expired credentials, no need for rotation and reduced risk of leakage.

The Auth flow

We want to use an AWS IAM Role (EC2, Lambda, etc) to authenticate to Azure to list our object storage: AWS->Azure
But we could also start from GitLab CI, GitHub Actions or OnPrem, assume an AWS IAM Role via OIDC IDToken and move from there: OnPrem->AWS->Azure

If we wanted we cloud probably go to Google and from there back to AWS

All without a single ApiToken!

Setup

On AWS we need to ensure web identity is enabled

1# Get your issuer config
2aws iam get-outbound-web-identity-federation-info --output json
3# if not enabled, you can enable it with
4aws iam enable-outbound-web-identity-federation --output json

If not already enabled, it creates a aws managed private key-pair (RSA and ECDSA) and publishes the IdP-Config under a globally accessible and unique endpoint. The command then gives you an URL in the format https://xxx.tokens.sts.global.api.aws.
When you access https://xxx.tokens.sts.global.api.aws/.well-known/openid-configuration you can see all supported claims, supported signature algorithms and the path to your JWKs config, which contains all information to validate your JWTs with it’s associated public key.

Now we need an IAM Role with these permission. If you don’t have them crate a policy and attach to your role.

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Effect": "Allow",
 6      "Action": [
 7        "sts:TagGetWebIdentityToken",
 8        "sts:GetWebIdentityToken",
 9        "sts:SetContext"
10      ],
11      "Resource": "*"
12    }
13  ]
14}

Note: You can also add Condition to the permissions to ensure a low TTL, the algorithm or tag validation. You also need at least the AWS-CLI version ≥2.32.5

Now every IAM-Role with these permissions can crate a JWT:

1aws sts get-web-identity-token --audience api://AzureADTokenExchange
2# You can also add up to 50 tags which will make extra information available in the JWT
3aws sts get-web-identity-token --audience api://AzureADTokenExchange --tags Key=account,Value=123456

The decoded JWT will look like this:

 1{
 2  "aud": "api://AzureADTokenExchange",
 3  "sub": "<MY_IAM_ROLE_ARN>",
 4  "https://sts.amazonaws.com/": {
 5    "org_id": "o-xxx",
 6    "aws_account": "123456",
 7    "ou_path": ["xxx"],
 8    "request_tags": {
 9      "account": "123456"
10    },
11    "original_session_exp": "2025-12-07T22:17:32Z",
12    "source_region": "eu-central-1",
13    "principal_id": "<MY_IAM_ROLE_ARN>",
14    "identity_store_user_id": "xxx"
15  },
16  "iss": "https://xxx.tokens.sts.global.api.aws",
17  "exp": 1765140780,
18  "iat": 1765140480,
19  "jti": "xxx"
20}

Now we will need the Azure side. Since the Azure UI is a mess we will use Terraform/OpenTofu:

 1data "azurerm_client_config" "current" {}
 2data "azurerm_resource_group" "demo" {
 3  name = "DevPlayground"
 4}
 5
 6# Create the EntraID App (OAuth App)
 7resource "azuread_application" "demo" {
 8  display_name            = "EntraID App Demo"
 9  owners                  = [data.azuread_client_config.current.object_id]
10  sign_in_audience        = "AzureADMyOrg"
11  group_membership_claims = ["All"]
12
13  api {
14    requested_access_token_version = 2
15  }
16
17  app_role {
18    allowed_member_types = ["Application"]
19    description          = "Demo"
20    display_name         = "Demo"
21    enabled              = true
22    id                   = "0429cbc4-e650-4306-a277-88c98179e698"
23    value                = "Demo"
24  }
25}
26
27# Ensure a service principal exists for that role
28resource "azuread_service_principal" "demo" {
29  client_id    = azuread_application.demo.client_id
30  use_existing = true
31}
32
33# Assign reader to your service principle for your resource group
34resource "azurerm_role_assignment" "demo" {
35  scope                = data.azurerm_resource_group.demo.id
36  role_definition_name = "Reader"
37  principal_id         = azuread_service_principal.demo.object_id
38}
39
40# Trust relationship between aws and azure
41resource "azuread_application_federated_identity_credential" "aws_static_demo" {
42  application_id = azuread_application.demo.id
43  display_name   = "aws-sts-webid-static"
44  description    = "WebIdentity from aws"
45  audiences      = ["api://AzureADTokenExchange"]
46  issuer         = "https://xxx.tokens.sts.global.api.aws"
47  subject        = "arn:aws:iam::xxx:role/aws-reserved/sso.amazonaws.com/eu-central-1/MY-Role"
48}
49
50output "clientID" {
51  value = azuread_application.demo.client_id
52}
53
54output "tenantID" {
55  value = data.azurerm_client_config.current.tenant_id
56}
57
58# Advanced claim validation - currently in preview and buggy
59# resource "azuread_application_flexible_federated_identity_credential" "aws_flex_demo" {
60#   application_id             = azuread_application.demo.id
61#   display_name               = "aws-sts-webid-flex"
62#   description                = "WebIdentity from aws"
63#   audience                   = "api://AzureADTokenExchange"
64#   issuer                     = "https://xxx.tokens.sts.global.api.aws"
65#   claims_matching_expression = "claims['sub'] eq 'arn:aws:iam::xxx:role/MY-Role'"
66# }

Token Exchange

We now can test the trust relationship first with curl, then with the az cli:

 1# Get AWS Token
 2export MY_AWS_WEB_ID_TOKEN=$(aws sts get-web-identity-token \
 3--audience api://AzureADTokenExchange \
 4--signing-algorithm RS256 \
 5--duration-seconds 300 | jq -r .WebIdentityToken)
 6
 7# Results in a new access token that is valid for azure
 8curl -L "https://login.microsoftonline.com/<YOUR_TENANT_ID>/oauth2/v2.0/token" \
 9--header "Content-Type: application/x-www-form-urlencoded" \
10--data-urlencode "client_id=<YOUR_CLIENT_ID>" \
11--data-urlencode "scope=https://graph.microsoft.com/.default" \
12--data-urlencode "grant_type=client_credentials" \
13--data-urlencode "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
14--data-urlencode "client_assertion=${MY_AWS_WEB_ID_TOKEN}"
15
16# Or sign in to az directly
17az login --service-principal \
18--username <YOUR_CLIENT_ID> \
19--tenant <YOUR_TENANT_ID> \
20--federated-token ${MY_AWS_WEB_ID_TOKEN}
21
22# Your current id
23az account show

Looking Beyond AWS and Azure

This should already work with SDKs that support auth via service principles. And all this is not tailered to AWS. You can use your own IDP like Keycloak or Kanidm. You do not even need an server or an backend for OIDC. The used singed JWTs are based of asymmetric encryption. All you need is a static website that hosts two files. One with .well-known/openid-configuration and a second one that is referenced in the first pointing to your JSON-Web-Key (jwks), the public keys to verify the JWT.

I host my serverless IDP for local automation at sts.hegerdes.com, that is backed by an Cloudflace R2 Bucket. In the bucket is only .well-known/openid-configuration doc and my public keys. Only I have the private keys on my machine. I create an JWT, sign it and use it to assume an AWS IAM role or an Azure SP. No interactive auth needed.
Simple short lived auth without managing tokens by hand!