This presentation from AWS re:Invent 2025 introduces a new AWS feature that enables secure and seamless authentication between AWS workloads and external services, eliminating the need to manage long-term credentials. The speakers, Rah Maharaj Puram and Vishnavi Merugu, demonstrate how this feature works and highlight its key benefits.
Key Features and Functionality
Outbound Identity Federation
Allows AWS workloads (e.g., EC2, Lambda, EKS) to authenticate to external services using short-lived JSON Web Tokens (JWTs)
Eliminates the need to manage long-term credentials like API keys or passwords
Supports integration with a variety of external services, including other cloud providers (Azure, GCP), SaaS platforms (Databricks, Snowflake), and on-premises systems
JWT Generation and Validation
AWS generates the JWTs using the AWS Security Token Service (STS), which can be customized with various claims
The JWTs are signed using either RS256 or ES384 algorithms, and the public keys are published on a well-known endpoint for external services to validate
JWT lifetimes can be configured, ranging from 60 seconds to 1 hour, to balance security and operational needs
Customizable Claims
Standard OIDC claims (subject, audience, expiration, etc.) are included in the JWTs
AWS also adds custom claims, namespaced under s.amazonaws.com, that provide additional context about the identity and workload:
AWS account ID, source region, organization ID (if applicable)
Principal tags (from IAM roles/users) and session tags
Federated provider information (if the identity originated from an external source)
Access Control
The sts:GetWebIdentityToken permission grants the ability to generate JWTs for external authentication
Condition keys allow fine-grained control over:
Allowed token audiences
Maximum token lifetime
Permitted signing algorithms
Benefits and Use Cases
Enhanced Security
Eliminates the risk of long-term credential compromise, which is a leading cause of security incidents
Short-lived JWTs provide a more secure alternative to managing API keys, passwords, and other long-term credentials
Reduced Operational Complexity
Simplifies the integration process with external services, replacing complex authentication flows and credential management
Automatic token generation and rotation, reducing the burden on developers and operations teams
Improved Interoperability
Enables secure cross-cloud and on-premises workload connectivity using a standardized JWT-based approach
Supports a wide range of external service providers, including other cloud platforms, SaaS applications, and custom on-premises systems
Best Practices and Recommendations
Replace long-term credentials with short-lived JWTs wherever possible to improve security
Validate the JWT signature and claims (including custom AWS claims) before granting access in the external service
Minimize the JWT lifetime to the shortest duration required for the specific use case
Avoid logging or storing the JWTs, and always transmit them over a secure (TLS) channel
Leverage the available condition keys to enforce strict access control policies
Conclusion
The AWS outbound identity federation feature provides a secure and seamless way for AWS workloads to authenticate to external services, eliminating the need to manage long-term credentials. By leveraging standardized JWTs and customizable claims, this solution enhances security, reduces operational complexity, and enables greater interoperability across cloud and on-premises environments.
These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.
If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.
