Sign in Subscribe
Concepts

OpenID Connect (OIDC) with AWS S3 Read-Only IAM Roles

Andrios Robert

2 min read

The request came down fast: secure S3 access without static keys, bound to identity, and locked to read-only. The solution was OpenID Connect (OIDC) with AWS IAM roles that grant least-privilege access to S3. No long-lived credentials, no unmanaged policies—just direct, short-lived sessions from an OIDC identity provider.

What is OpenID Connect (OIDC) in AWS?
OIDC is an identity layer on top of OAuth 2.0. In AWS, you can configure IAM to trust an external OIDC provider. Once trusted, authenticated users from that provider can assume roles in AWS without AWS-specific credentials. This enables secure, role-based access to AWS resources like S3.

How OIDC Maps to AWS S3 Read-Only Roles
In AWS, an IAM role defines permissions and trust. For OIDC, the trust policy points to the identity provider’s iss (issuer) URL. The permissions policy grants actions like s3:GetObject and s3:ListBucket for a chosen bucket. No delete, no write—strict read-only. When a user logs in via the OIDC provider, AWS uses the trust policy to issue short-term credentials for that specific role.

Step-By-Step: Configure OIDC With an S3 Read-Only IAM Role

  1. Set Up the OIDC Provider in AWS IAM
    • Go to IAM → Identity providers → Add provider.
    • Provider type: OIDC.
    • Enter the OIDC issuer URL.
    • Add the provider’s thumbprint and audience (client ID).
  2. Create the IAM Role for OIDC
    • Trusted entity: specify the OIDC provider and match the subject claim to your intended users or groups.
  3. Test the Role Assumption
    • Authenticate through OIDC.
    • Assume the IAM role and verify access to S3 using aws s3 ls or SDK calls. You should be able to list and read objects but not delete or upload.

Attach a Read-Only S3 Permissions Policy
Example:


{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:GetObject",
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::my-bucket",
    "arn:aws:s3:::my-bucket/*"
   ]
  }
 ]
}

Example trust policy condition:


{
 "Condition": {
  "StringEquals": {
   "oidc-idp.example.com:sub": "user@example.com"
  }
 }
}

Security Advantages

  • No static AWS keys stored in code or config.
  • Scope access only to specific buckets and actions.
  • Short-lived credentials reduce attack surface.
  • Centralized identity with an existing OIDC provider.

Implementing OpenID Connect with AWS S3 read-only IAM roles enforces strong security and compliance while cutting operational risk. Two systems, one trust relationship, zero permanent keys.

See this exact setup in action with hoop.dev—spin up OIDC-authenticated, read-only S3 access in minutes and watch it work live.