Amazon IAM Identity Center releases new SDK plugin to streamline token exchange with an external Identity Provider
Amazon IAM Identity Center has released a new SDK plugin that simplifies Amazon Web Services resource authorization for applications that authenticate with external identity providers (IdPs) such as Microsoft EntraID, Okta and others. The plugin which supports trusted identity propagation (TIP), streamlines how external IdP tokens are exchanged for Amazon IAM Identity Center tokens. These tokens enable precise access control to Amazon Web Services resources (e.g., Amazon S3 buckets) leveraging user and group memberships as defined in the external IdP.
The new SDK plugin automates the token exchange process eliminating the need for complex, custom-built workflows. Once configured, it seamlessly handles the Amazon IAM Identity Center token creation and the generation of user identity-aware credentials. These credentials can be used for creating identity-aware IAM role sessions while requesting access to different Amazon Web ServicesAmazon resources. Currently available for Java 2.0 and JavaScript v3 SDK, this TIP plugin is Amazon Web Services’s recommended solution for implementing user identity-aware authorization.
Amazon IAM Identity Center enables you to connect your existing source of workforce identities to Amazon Web Services once, simplify authorization across multiple Amazon Web Services applications that integrate with TIP, define and audit user identity-aware access to resources across Amazon Web Services, and manage access to multiple Amazon Web Services accounts from a central place. For instructions on installation of this plug-in, see here. This plugin is available at no additional cost in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and in the Amazon Web Services China (Ningxia) Region, operated by NWCD.