AWS STS Validates Claims from Google, GitHub, CircleCI, OCI

/ Tutorial

Introduction

The ever-evolving landscape of cloud security has recently seen significant advancements with AWS Security Token Service (STS). On February 2, 2026, AWS announced that AWS STS now supports validation of select identity provider specific claims from Google, GitHub, CircleCI and Oracle Cloud Infrastructure (OCI). This notable update enhances the capability of IAM role trust policies and resource control policies, enabling fine-grained access control for users leveraging federated identities. In this comprehensive guide, we will dive deep into the implications of this new feature, how to leverage it effectively, and actionable steps to integrate it into your AWS environment.

Understanding Cross-Provider Identity Management

What is AWS STS?

AWS STS is a web service that allows you to request temporary, limited-privilege credentials for your AWS account or IAM users. It is essential for managing access to AWS resources through federated authentication, particularly with external identity providers.

Benefits of OIDC Federation

OpenID Connect (OIDC) federation expands the possibilities of identity management by allowing you to grant AWS access based on authentication that occurs outside of AWS. This is particularly advantageous for organizations that use multiple identity providers (IdPs), such as Google, GitHub, CircleCI, and OCI. By federating identities, you can centralize user management while maintaining security and compliance.

Enhanced Security and Compliance

The integration of identity provider specific claims into the IAM role trust policies enables organizations to enforce stricter access control policies based on user attributes. This means that the right users have the right access levels at the right time, which is crucial for maintaining compliance with standards such as GDPR and HIPAA.

New Features of AWS STS: Claim Validation

Overview of Claim Validation

With the recent update, AWS STS enables validation of specific claims related to popular identity providers—Google, GitHub, CircleCI, and OCI. These claims can specifically include user attributes such as roles, group memberships, and email addresses, and can now be referenced as condition keys in IAM policies.

Immediate Advantages

  1. Enhanced Flexibility: Custom claims provide flexibility in defining who can do what within your AWS environment.
  2. Fine-Grained Access: By utilizing claims, you can achieve granular control over your AWS resources.
  3. Streamlined Management: Consolidated access management simplifies the audit and compliance processes.

Use Cases

  • DevOps Teams: Teams can use GitHub claims to control access to AWS resources necessary for CI/CD pipelines.
  • Cross-Organizational Collaborations: Easily manage and enforce permissions for external partners using CircleCI.
  • Cloud-Native Applications: OCI users can connect seamlessly and implement strict access controls within the AWS environment.

Getting Started with Claim Validation in AWS STS

Prerequisites for Implementation

Before you can utilize the claim validation in AWS STS, you must prepare the following:

  • An AWS IAM Role with permissive policies.
  • An identity provider setup (Google, GitHub, CircleCI, or OCI) configured in AWS IAM.
  • Understanding of JSON Web Tokens (JWT), as claims are part of these tokens.

Step-by-Step Guide to Configuration

  1. Define Your Identity Providers:
  2. Access the IAM console in your AWS account and navigate to “Identity Providers”.

  3. Create a new OIDC identity provider for each of the selected IdPs (Google, GitHub, CircleCI, OCI).

  4. Create a Trust Policy:

  5. Define which claims you want to validate by modifying the trust relationship policy of the IAM role.
  6. For instance, if you want to validate a claim that indicates user roles, your policy might look like this:

json
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Federated”: “arn:aws:iam::123456789012:oidc-provider/your-idp”
},
“Action”: “sts:AssumeRoleWithWebIdentity”,
“Condition”: {
“StringEquals”: {
“your-idp:claim_key”: “expected_value”
}
}
}
]
}

  1. Testing the Setup:
  2. Use the AssumeRoleWithWebIdentity API call to test the implementation. Ensure your credentials reflect the claims specified in your trust policy.

bash
aws sts assume-role-with-web-identity –role-arn arn:aws:iam::123456789012:role/your-role –role-session-name session-name –web-identity-token your-token

  1. Logging and Monitoring:
  2. Set up CloudTrail to log all API calls. This will help in auditing and tracking access management changes within the AWS environment.

Advanced Configuration Options

Custom Claims and Policy Conditions

One of the most powerful features of this update is the ability to use custom claims as policy conditions. You can match specific user attributes or permissions directly in your IAM policies.

Examples of Claim Use

  • Role-Based Access Control: Use claims to determine if a user belongs to a specific role before granting them access to sensitive resources.
  • Time-Based Access: Create time-sensitive access based on claims that specify when a user should have access (e.g., during work hours).

Security Best Practices

  • Least Privilege Principle: Always ensure minimal permissions are granted when creating IAM roles and policies.
  • Regular Policy Reviews: Implement regular audits of IAM policies, roles, and access patterns to ensure compliance and security.
  • Use MFA: When managing sensitive resources, ensure that multi-factor authentication (MFA) is enabled for extra security.

Conclusion

AWS STS’s support for validating identity provider specific claims from Google, GitHub, CircleCI, and OCI represents a significant leap in fine-grained access management for organizations. This enhancement empowers security teams to implement precise access controls, ensuring that the right users can access the right resources securely and efficiently.

By adopting the practices outlined in this guide, organizations will not only streamline their AWS environments but also enhance their security posture in a landscape increasingly defined by complex identity integrations.

Key Takeaways

  • AWS STS now supports claims validation from select identity providers, enabling detailed access control.
  • Properly configuring IAM roles and trust policies is essential for leveraging claim-based authentication.
  • Implementing security best practices is crucial for maintaining a secure environment in your AWS infrastructure.

As we continue to embrace more widespread usage of cloud technologies, expect these capabilities to evolve, allowing organizations to maintain compliance and security while harnessing the power of federated identity management.

For more insights into AWS services and best practices, continue transforming your cloud capabilities with AWS STS’s new features. AWS STS now supports validation of select identity provider specific claims from Google, GitHub, CircleCI and OCI.

Learn more

More on Stackpioneers

Other Tutorials