All posts
ConceptsOctober 16, 20252 min read

OpenID Connect (OIDC) with AWS S3 Read-Only IAM Roles

The request came down fast: secure S3 access without static keys, bound to identity, and locked to read-only. The solution was OpenID Connect (OIDC) with AWS IAM roles that grant least-privilege access to S3. No long-lived credentials, no unmanaged policies—just direct, short-lived sessions from an OIDC identity provider. What is OpenID Connect (OIDC) in AWS? OIDC is an identity layer on top of OAuth 2.0. In AWS, you can configure IAM to trust an external OIDC provider. Once trusted, authentica

Free White Paper

OpenID Connect (OIDC) + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The request came down fast: secure S3 access without static keys, bound to identity, and locked to read-only. The solution was OpenID Connect (OIDC) with AWS IAM roles that grant least-privilege access to S3. No long-lived credentials, no unmanaged policies—just direct, short-lived sessions from an OIDC identity provider.

What is OpenID Connect (OIDC) in AWS?
OIDC is an identity layer on top of OAuth 2.0. In AWS, you can configure IAM to trust an external OIDC provider. Once trusted, authenticated users from that provider can assume roles in AWS without AWS-specific credentials. This enables secure, role-based access to AWS resources like S3.

How OIDC Maps to AWS S3 Read-Only Roles
In AWS, an IAM role defines permissions and trust. For OIDC, the trust policy points to the identity provider’s iss (issuer) URL. The permissions policy grants actions like s3:GetObject and s3:ListBucket for a chosen bucket. No delete, no write—strict read-only. When a user logs in via the OIDC provider, AWS uses the trust policy to issue short-term credentials for that specific role.

Step-By-Step: Configure OIDC With an S3 Read-Only IAM Role

Continue reading? Get the full guide.

OpenID Connect (OIDC) + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Set Up the OIDC Provider in AWS IAM
    • Go to IAM → Identity providers → Add provider.
    • Provider type: OIDC.
    • Enter the OIDC issuer URL.
    • Add the provider’s thumbprint and audience (client ID).
  2. Create the IAM Role for OIDC
    • Trusted entity: specify the OIDC provider and match the subject claim to your intended users or groups.
  3. Test the Role Assumption
    • Authenticate through OIDC.
    • Assume the IAM role and verify access to S3 using aws s3 ls or SDK calls. You should be able to list and read objects but not delete or upload.

Attach a Read-Only S3 Permissions Policy
Example:


{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:GetObject",
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::my-bucket",
    "arn:aws:s3:::my-bucket/*"
   ]
  }
 ]
}

Example trust policy condition:


{
 "Condition": {
  "StringEquals": {
   "oidc-idp.example.com:sub": "user@example.com"
  }
 }
}

Security Advantages

  • No static AWS keys stored in code or config.
  • Scope access only to specific buckets and actions.
  • Short-lived credentials reduce attack surface.
  • Centralized identity with an existing OIDC provider.

Implementing OpenID Connect with AWS S3 read-only IAM roles enforces strong security and compliance while cutting operational risk. Two systems, one trust relationship, zero permanent keys.

See this exact setup in action with hoop.dev—spin up OIDC-authenticated, read-only S3 access in minutes and watch it work live.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts