AWS AuthFI Connect

Connect your AWS account to AuthFI so users can get temporary credentials and console access based on their AuthFI roles.

Prerequisites

• An AWS account with IAM admin access
• AuthFI tenant on Scale or Enterprise plan

Step 1: Create an OIDC Identity Provider in AWS

aws iam create-open-id-connect-provider 
  --url https://your-tenant.authfi.app 
  --client-id-list authfi-cloud-access 
  --thumbprint-list <your-authfi-thumbprint>

Step 2: Create an IAM Role with Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::123456789012:oidc-provider/your-tenant.authfi.app"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "your-tenant.authfi.app:aud": "aws",
        "your-tenant.authfi.app:azp": "authfi-cloud-access"
      }
    }
  }]
}

Step 3: Add Cloud Account in AuthFI

curl -X POST https://api.authfi.app/manage/v1/your-tenant/cloud/accounts 
  -H "X-API-Key: sk_..." 
  -d '{
    "provider": "aws",
    "name": "AWS Production",
    "account_ref": "123456789012",
    "config": {
      "oidc_provider_arn": "arn:aws:iam::123456789012:oidc-provider/your-tenant.authfi.app"
    }
  }'

Step 4: Create Role Mapping

curl -X POST https://api.authfi.app/manage/v1/your-tenant/cloud/mappings 
  -H "X-API-Key: sk_..." 
  -d '{
    "cloud_account_id": "<account-uuid>",
    "authfi_role_id": "<cloud-admin-role-uuid>",
    "cloud_role": "arn:aws:iam::123456789012:role/AdminAccess",
    "max_session_seconds": 3600,
    "conditions": { "require_mfa": true }
  }'

Step 5: Users Get Access

// SDK — get AWS credentials for the logged-in user
const creds = await authfi.cloudCredentials(req.user.token, {
  provider: 'aws',
  account: 'production'
});

// Use with AWS SDK
const s3 = new S3Client({ credentials: creds });

Or from the AuthFI Console, users click “Open Console” to land directly in the AWS Management Console.