CloudBeaver Documentation

DOWNLOAD pdf

AWS OpenID Authentication

Note: This feature is available in Enterprise, AWS, Team editions only.

Overview

AWS-OpenID Authentication uses AWS credentials to authenticate users in applications, leveraging OpenID Connect with AWS IAM. It enables secure, efficient user access control, minimizing separate account management. For comprehensive setup information of AWS OpenID itself, refer to the official AWS OpenID documentation.

Configuration steps

Step 1: Enabling AWS OpenID Authentication

  1. As an administrator, go to Settings -> Server Configuration.

  2. Find the Cloud (AWS) option (in the Configuration section) and AWS OpenID (in the Authentication Settings section). Activate this setting to enable AWS authentication.

Note: In CloudBeaver AWS Edition, the Cloud (AWS) option is enabled by default.

  1. Save the changes.

For instructions on configuring AWS Regions, see AWS Settings.

Step 2: Adding an Identity Provider

  1. As an administrator, navigate to Settings -> Identity Providers.

  2. Click on the + Add button.

  3. Fill in the following fields:

    Field Description
    Provider Select AWS OpenID from the dropdown menu.
    ID Enter a unique identifier for the configuration.
    Configuration name Enter a descriptive name for this configuration.
    Description Provide a brief description of this identity provider configuration.
    Icon URL Enter the URL of an icon to represent this provider.
    Disabled Leave unchecked to enable this identity provider.
    Client ID The client identifier provided by the OpenID Connect provider.
    Client Secret A secret key associated with the client ID for authentication.
    IDP auth endpoint URL The endpoint for initiating the authentication process.
    IDP token endpoint URL The endpoint for obtaining access and refresh tokens.
    Custom scopes The custom scopes. Use with ; delimiter.
    Role ARN Enter the ARN for the WebIdentity role from AWS.
    Name of an AWS role claim Name of the AWS role claim that contains the name of the AWS role.

    Important: The Role ARN added during this step acts as the default role. It's not advisable to use an administrator role at this step. It is recommended to use a role with minimum privileges during provider setup.

    After the provider is configured, you will see an AWS Role ARN field for each user, where you can specify a role with higher privileges, if necessary.

    Note: The values for the Client ID, Client Secret, IDP auth endpoint URL, and IDP token endpoint URL depend on the specific OpenID Connect provider being used.

  4. Click on the Create button.

  5. Copy Redirect and Sign out Links:

    1. Enter the newly created identity provider.
    2. Copy the Redirect link and the Sign out link.
  6. Update Redirect URIs in the authorization service.

Step 3: Logging in

  1. With the AWS OpenID configuration now established, proceed to the login screen.

  2. Select the Federated authentication method, labeled with the Configuration name you specified.

  3. Clicking on this authentication method will redirect you to the Sign in with Google page.

  4. After selecting the necessary account, you will be automatically redirected and logged into the CloudBeaver.

  5. Verify the Integration of AWS and OpenID

    1. Once logged in, click on your username in CloudBeaver and navigate to the User Info tab.
    2. Here, you should see two tokens. Their presence indicates that the integration of AWS and OpenID has been successfully completed, and CloudBeaver has access to the necessary credentials.