Using Firebase OpenID Connect provider as AWS IAM Identity Provider

5
votes

I get the following error while setting up Firebase as an AWS IAM Identity Provider using OpenID Connect.

We encountered the following errors while processing your request: Please check .well-known/openid-configuration of provider: https://securetoken.google.com/<Project ID> is valid.

The AWS IAM Identity Provider setup requires two input parameters, to which I plugged in the following:
Provider URL: https://securetoken.google.com/<Firebase Project ID>
Audience: <Firebase Client ID>

To troubleshoot the error, I opened http://<Provider URL>/.well-known/openid-configuration in a browser and noted the JSON response has the Issuer and jwks_uri fields. I believe these JSON fields indicate the Firebase OpenID Connect Provider URL is valid.

Any idea how I could avoid the above error and successfully set up the AWS IAM Identity Provider?

1
amazon-web-servicesfirebaseamazon-iamopenid-connect

1 Answers

8
votes

I contacted AWS support and they helped resolve the problem. Thanks to Shaun H @ AWS!

The solution to the problem is to use AWS CLI instead of AWS console to set up an OIDC provider.

I'm pasting relevant parts of Shaun's response below: 1.) Manually obtain and verify the thumbprint using the procedure described here[1].
"ThumbprintList" = "6040DB92306CC8BCEB31CACAC88D107430B16AFF"

2.) Create the OIDC identity provider using the AWS Cli [2]. For example: $ aws iam create-open-id-connect-provider --cli-input-json file://oidc.json Note - the format would be:
aud Audience Must be your Firebase project ID, the unique identifier for your Firebase project, which can be found in the URL of that project's console. iss Issuer Must be https://securetoken.google.com/<projectId>, where is the same project ID used for aud above.

Content for file://oidc.json: (replace with your Project ID) 

{
    "Url": "https://securetoken.google.com/<Firebase Client ID>", 
    "ClientIDList": [ "<Firebase Client ID>" ], 
    "ThumbprintList": [ "6040DB92306CC8BCEB31CACAC88D107430B16AFF" ]
}

[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

[2] http://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html