I want to achieve my solution only using Okta as OIDC provider and don’t want to use Okta + AWS Cognito.
My identities are in Okta and I want to generate JWT at userlogon in Okta. I will then use this JWT to assume a role in AWS as mentioned in doc here and return STS creds using API call here.
Please let me know how can I achieve this. Please provide your response in a simple way with example as I am new to Okta and Identity world. Please feel free to correct me if I am missing something conceptually.
P.S: I am passing this JWT token in a POST request to APIGW which then passes it to Lambda. I am doing some stuff with Lambda with this JWT token. Right now I am using Okta + AWS Cognito. But want to get rid of Cognito unless necessary.
I want below Solution Workflow:
- User logs in to Okta portal using userid and password and gets authenticated. Identities in Okta re from multiple identity sources.
- JWT token is generated after logon.
- Capture JWT Token and pass it to Lambda using by calling an API in APIGW using POST API call
- Run this call in Lambda to return STS creds in response. While running the call apply in session policy to scope down level of permissions depending on attributes passed in JWT token. The scope down policy is created in lambda based on dynamic attributes in JWT Token.
- Scoped down temp creds are used by user to perform the action.
I am creating dynamic policies as this is a SAAS product and end users(vendors/finance users etc) will need temporary access depending on their role.
Currently, I am using Congnito in middle as per link but want to get rid of Cognito.