Deploy Identity Provider with CloudFormation or SAM

Question

I have a CodeStar project, using console I've created an identity provider and an identity pool for OpenId Connect. This works and I can authenticate all my resources. I would turn this manual process into something more automated. The first two things needed are

• create an Identity Provider
• create an Identity Pool for that provider.

The ideal solution would be, add few instructions to template.yml in the code star project, so each time template is modified the identity provider will be modified accordingly. I tried to look at SAM documentation and doesn't seem to have something usefull for Identity Provider creation. I've look at CloudFormation Designer and seems there's nothing for this need. How is it possible?

How can I automate and put this information under source control?

Answer 1

CloudFormation now supports both OpenID Connect and SAML identity providers:

AWS::IAM::SAMLProvider resource type is used for SAML provider and AWS::IAM::OIDCProvider is used for OpenID Connect provider.

Answer 2

I found a project to set this up with python in a Lambda function. I haven't tried it out yet (I ended up here while trying to figure it out)

Relevant code (after setting up the boto IAM client)

iam.create_saml_provider(SAMLMetadataDocument=doc,Name=name)

There is (of course) more to it than that, but it's all in the github project.

Answer 3

CloudFormation doesn't have support for OpenID or SAML IdPs. However, all of the AWS SKDs do. I suggest looking into the lambda-backed custom resources for CloudFormation.

The custom resource lambda function could then have your own implementation of OpenID provider creation. See the AWS documentation for Python or Java SKD calls.