{"id":24023264,"url":"https://github.com/sibiraj-s/oidc-setup","last_synced_at":"2026-04-25T21:33:45.804Z","repository":{"id":264941027,"uuid":"862811386","full_name":"sibiraj-s/oidc-setup","owner":"sibiraj-s","description":"Ory Hydra setup for implementing OpenID Connect (OIDC) and assuming role from AWS","archived":false,"fork":false,"pushed_at":"2024-09-25T09:36:43.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-04-15T18:00:04.648Z","etag":null,"topics":["assume-role","aws","aws-sts","oidc","ory-hydra"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sibiraj-s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["sibiraj-s"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2024-09-25T08:24:16.000Z","updated_at":"2024-09-25T09:37:50.000Z","dependencies_parsed_at":"2024-11-26T22:42:32.391Z","dependency_job_id":null,"html_url":"https://github.com/sibiraj-s/oidc-setup","commit_stats":null,"previous_names":["sibiraj-s/oidc-setup"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sibiraj-s/oidc-setup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sibiraj-s%2Foidc-setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sibiraj-s%2Foidc-setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sibiraj-s%2Foidc-setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sibiraj-s%2Foidc-setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sibiraj-s","download_url":"https://codeload.github.com/sibiraj-s/oidc-setup/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sibiraj-s%2Foidc-setup/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32278249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T18:29:39.964Z","status":"ssl_error","status_checked_at":"2026-04-25T18:29:32.149Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assume-role","aws","aws-sts","oidc","ory-hydra"],"created_at":"2025-01-08T14:14:50.674Z","updated_at":"2026-04-25T21:33:45.791Z","avatar_url":"https://github.com/sibiraj-s.png","language":"Shell","funding_links":["https://github.com/sponsors/sibiraj-s"],"categories":[],"sub_categories":[],"readme":"# OIDC Setup with Ory Hydra and AWS STS\n\nThis repository demonstrates how to use the OIDC Client Credentials Flow with [Ory Hydra](https://www.ory.sh/hydra/docs/) (an open-source OAuth2 and OpenID Connect server) and assume a role in AWS using AWS Security Token Service (STS).\n\nIt provides two scripts for this purpose:\n\n- **`generate.sh`**: Generates an access token using the OIDC Client Credentials Flow.\n- **`assume.sh`**: Assumes a role from AWS using AWS STS\n\n\u003e [!IMPORTANT]\n\u003e This setup is for demonstration purposes only. In a production environment, ensure that your configuration meets your security requirements.\n\n## Prerequisites\n\n- [Docker](https://docs.docker.com/get-docker/)\n- [tunnelmole](https://tunnelmole.com/) or similar tunneling services (e.g., ngrok, localtunnel)\n- [AWS Account](https://aws.amazon.com/)\n\n### Start the tunnelmole Server\n\nTo make Ory Hydra accessible over the internet, you can use tunnelmole or a similar service like ngrok or localtunnel.\n\nStart the tunnelmole server with the following command:\n\n```bash\nnpx tunnelmole 4444\n```\n\nOnce the server is running, it will generate a public URL. Copy this URL and replace the `issuer` URL in the [hydra.yml](./config/hydra.yml) configuration file. Ensure the URL uses `https` protocol.\n\n\u003e [!NOTE]\n\u003e If you use an alternate service like ngrok, ensure it doesn't add any interstitial pages (i.e., extra steps like a click-through page). These can interfere with AWS OpenID provider setup. For example, check [ngrok's guide on interstitials](https://ngrok.com/docs/guides/limits/#why-is-there-an-interstitial-in-front-of-my-html-content) for more information.\n\n### Start the Hydra Server\n\nBefore starting, verify and update the values in [hydra.yml](./config/hydra.yml) as needed.\n\nStart the Hydra server using Docker Compose:\n\n```bash\ndocker compose up\n```\n\nOn the first boot, this command will apply the necessary database migrations and start the Hydra server.\n\n### Configure the OIDC Provider in AWS\n\n**Step 1: Create the OpenID Connect Provider in AWS**\n\n1. Open the **IAM** dashboard in the AWS Management Console.\n2. Select **Identity Providers** from the left-hand menu.\n3. Click **Create Provider**.\n4. Choose **OpenID Connect** as the provider type.\n5. Paste the public `https` URL (from tunnelmole or similar) into the **Provider URL** field.\n6. Set the **Audience** field to `sts.amazonaws.com`.\n7. Click **Create**.\n\n**Step 2: Create a Role for the OIDC Provider**\n\n1. In the **IAM** dashboard, select **Roles**.\n2. Click **Create Role**.\n3. Choose **Web Identity** as the trusted entity type.\n4. Select the newly created OpenID Connect provider, and ensure the audience is set to `sts.amazonaws.com`.\n5. Attach a policy to the role. You can either create a new policy or use an existing one.\n6. Provide a name for the role, review the configuration, and create the role.\n\n\u003e [!NOTE]\n\u003e In a production setup, you may want to configure more attributes in the trust policy, such as limiting the `sub` (subject) to scope down access for the client.\n\n### Create OIDC Client\n\nBefore generating the OIDC client, copy the Amazon Resource Name (ARN) of the role you just created in AWS and add it to the `.env` file:\n\n```bash\nexport ROLE_ARN=arn:aws:iam::Accountxxx:role/OIDCProvider\n```\n\nRefer to [sample.env](./sample.env) for an example.\n\nOnce the `.env` file is set up, run the `generate.sh` script to create an OIDC client:\n\n```bash\nsh ./generate.sh\n```\n\nThis script will generate an OIDC client, including its client ID, secret, and access token. These values will be written to the `.env` file.\n\n### Assume the Role\n\nNow, you can use the `assume.sh` script to assume the AWS role:\n\n```bash\nsh ./assume.sh\n```\n\nThis will use the generated access token to assume the role, and the assumed role session credentials will be printed in the terminal.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsibiraj-s%2Foidc-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsibiraj-s%2Foidc-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsibiraj-s%2Foidc-setup/lists"}