{"id":18632577,"url":"https://github.com/aoepeople/lambda_token_auth","last_synced_at":"2026-03-05T16:13:53.588Z","repository":{"id":45947492,"uuid":"359383139","full_name":"AOEpeople/lambda_token_auth","owner":"AOEpeople","description":"Small Lambda function which performs a Aws:Sts:AssumeRole based on the presented JWT-Token","archived":false,"fork":false,"pushed_at":"2025-06-24T05:26:19.000Z","size":100,"stargazers_count":8,"open_issues_count":13,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-24T06:32:31.833Z","etag":null,"topics":["aws","aws-lambda","iam"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AOEpeople.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-04-19T08:24:22.000Z","updated_at":"2024-12-10T09:23:24.000Z","dependencies_parsed_at":"2022-08-12T12:40:22.679Z","dependency_job_id":"3fb4a814-d57d-4513-b1be-e7d5bb6a0dec","html_url":"https://github.com/AOEpeople/lambda_token_auth","commit_stats":{"total_commits":89,"total_committers":6,"mean_commits":"14.833333333333334","dds":0.4831460674157303,"last_synced_commit":"cdcc655d821c61c087d0b99acb402cd3777cbd7b"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/AOEpeople/lambda_token_auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AOEpeople%2Flambda_token_auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AOEpeople%2Flambda_token_auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AOEpeople%2Flambda_token_auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AOEpeople%2Flambda_token_auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AOEpeople","download_url":"https://codeload.github.com/AOEpeople/lambda_token_auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AOEpeople%2Flambda_token_auth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262474089,"owners_count":23316912,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-lambda","iam"],"created_at":"2024-11-07T05:12:36.903Z","updated_at":"2026-03-05T16:13:53.536Z","avatar_url":"https://github.com/AOEpeople.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# About\n\nThis implements a AWS Lambda handler which takes a JWT-Token, validates it and then performs a Aws:Sts:AssumeRole based on preconfigured rules. It's similar to the existing (offical) TokenAuthorizer but allows more complexity in it's configuration.\n\nPractical usage could e.g. allow to authenticate a Gitlab-CI pipeline through the [`CI_JOB_JWT` token](https://docs.gitlab.com/ee/ci/secrets/index.html) / [`id_tokens`](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) without requiring additional long-term authentication credentials. The [claims within the token](https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/#how-it-works) allow very fine-grained control which is not possible otherwise.\n\nA alternative solution is the use of the [AWS STS:AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html)  functionality, which has some benefits (glob patterns, official AWS API) and some drawbacks (fix certificate thumbprints).\n\n## Configuration\n\nThe lambda function is configured through environment variables, and a JSON document stored within S3. A list of rules is used to check whether the claims of a valid token match the criteria to allow granting a role.\n\n### Environment variables\n\n* `CONFIG_BUCKET` - (optional) the S3 bucket name which contains the related configuration object\n* `CONFIG_KEY` - (optional) the S3 object key which contains the JSON configuration\n* `CONFIG_ROLEANNOTATIONSENABLED` - (optional) Also fetch IAM Role tags with could contain rules\n* `CONFIG_JWKSURL` - (optional) URL which contains required JWKs key information\n* `CONFIG_REGION` - (optional) AWS Region\n* `CONFIG_BOUND_ISSUER` - (optional) Token issue expected from the tokens \n* `CONFIG_BOUND_AUDIENCE` - (optional) Token audience expected in the tokens\n* `LOGLEVEL` - (optional) loglevel - allowed values: Trace, Debug, Info, Warning, Error, Fatal and Panic\n\nPlease note: these settings must be either configured via an file in the S3 Bucket or via environment variables.\n\n### JSON configuration\n\n```\n{\n    \"jwks_url\":\"https://gitlab.com/-/jwks\",                          // URL which contains required JWKs key information\n    \"role_annotations_enabled\": true,                                // Also fetch IAM Role tags with could contain rules\n    \"role_annotation_prefix\": \"token_auth/\",                         // IAM Role Tag-Prefix which is used for the embedded rules\n    \"bound_issuer\": \"\",                                              // Token issue expected from the tokens\n    \"bound_audience\": \"\",                                            // Token audience expected from the tokens\n    \"rules\":[                                                        // List of rules which would allow the AssumeRole for certain tokens\n        {\n            \"claim_values\":{                                         // The required values which the token should present\n                \"namespace_id\":\"4\"\n            },\n            \"duration\":1800,                                         // Duration of the created session\n            \"region\":\"us-east-1\",\n            \"role\":\"arn:aws:iam::124567910112:role/some-role-arn\"    // Arn of the role which we Assume for valid tokens\n        }\n    ]\n}\n```\n\n#### Rule annotations\n\nWith `role_annotations_enabled` set to `true`, rules will also be fetched from IAM-Role tags. The related tags should be prefixed with `role_annotation_prefix`, the value of these tags should be the required claim values as base64 formatted JSON map.\n\n#### Lambda IAM policy\n\nThe lambda itself also required some IAM configuration. It needs:\n\n* `s3:GetObject` permissions to read the configuration from the S3 bucket\n* `iam:GetRole` permissions on every role to read the roles tags - if `role_annotations_enabled` is `true`\n* it has to be part of the trust policy of the related roles which it should assume once the token is valid\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faoepeople%2Flambda_token_auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faoepeople%2Flambda_token_auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faoepeople%2Flambda_token_auth/lists"}