AWS Web Identity Token

The AWS Web Identity Token method authenticates workloads using AWS IAM Outbound Identity Federation. The workload exchanges its IAM role credentials for a short-lived JWT; the Trust Domain Server verifies the JWT using the AWS account's OIDC discovery endpoint.

This method works for any AWS workload with an IAM role (e.g. EC2 instances, Lambda functions, ECS tasks, EKS pods) and produces attribute-rich claims from the role's identity and tags.

Attributes available for SVID issuance

The following attributes are produced. All have the origin aws_token.

Attribute	Description
`aws_token.account.id`	AWS account ID
`aws_token.org.id`	AWS organization ID
`aws_token.source_region`	AWS region where the token was requested
`aws_token.identity_store_user_id`	IAM Identity Center user ID associated with the session (if applicable)
`aws_token.principal_tags.<TAG_NAME>`	Value of principal tag `TAG_NAME` from the JWT
`aws_token.request_tags.<TAG_NAME>`	Value of request tag `TAG_NAME` from the JWT

Example SPIFFE ID template using principal tags:

/aws/{{aws_token.account.id}}/{{aws_token.principal_tags.environment}}

Prerequisites

AWS IAM Outbound Identity Federation must be enabled in the AWS account where agents run. Navigate to IAM > Account settings > Outbound Identity Federation and click Enable.

Once enabled, you will see the Issuer URL needed for server configuration in the console.

The IAM role used by the workload must have the following permission:

{
  "Effect": "Allow",
  "Action": "sts:GetWebIdentityToken",
  "Resource": "*"
}

How to Deploy

Step 1 — Update trust domain configuration

Configure the ServerlessAttestation policy with the issuer URL from your AWS account's outbound federation configuration:

section: ServerlessAttestation
schema: v1
spec:
  policies:
    - name: aws_policy
      svidPolicy:
        pathTemplate: "/aws/{{aws_token.account_id}}"
      requiredAttestors:
        - type: aws_token
          config:
            issuerURLs:
              - "https://a1e777e5-1234-5678-9bf8-cdda2afef4bb.tokens.sts.global.api.aws"
            allowedAudiences:
              - urn:defakto:security:server
            allowedPrincipalTags:
              environment:
                - production
            allowedRequestTags:
              classification:
                - sensitive

Apply it using spirlctl:

spirlctl config set trust-domain --id <trust-domain-id> serverless.yaml

Or using Terraform:

resource "spirl_trust_domain_config" "serverless_attestation" {
  trust_domain_id = spirl_trust_domain.my_trust_domain.id
  sections = {
    ServerlessAttestation = <<-YAML
      section: ServerlessAttestation
      schema: v1
      spec:
        policies:
          - name: aws_policy
            svidPolicy:
              pathTemplate: "/aws/{{aws_token.account_id}}"
            requiredAttestors:
              - type: aws_token
                config:
                  issuerURLs:
                    - "https://a1e777e5-1234-5678-9bf8-cdda2afef4bb.tokens.sts.global.api.aws"
                  allowedAudiences:
                    - urn:defakto:security:server
                  allowedPrincipalTags:
                    environment:
                      - production
    YAML
  }
}

Once a configuration document is validated and stored, the Defakto control plane syncs it to your Trust Domain Servers automatically. No restart is required.

Server Configuration Reference

Field	Required	Default	Description
`issuerURLs`	Yes	—	List of AWS-issued OIDC issuer URLs. Matched against the `iss` claim in the JWT.
`allowedAudiences`	No	`urn:defakto:security:server`	Allowed token audiences (`aud` claim).
`allowedPrincipalTags`	No	—	Allowed values by tag key from the token's `principal_tags` section.
`allowedRequestTags`	No	—	Allowed values by tag key from the token's `request_tags` section.

Step 2 — Verify

note

Serverless-specific server log messages and metrics are TBD.

Common errors:

Error	Likely cause
`no trust domain policy authorizes the provided attestors`	Workload's `aws_token` method doesn't match any policy. Verify `issuerURLs` in the trust domain config matches your account's outbound federation URL
`Attestor rejected proof, policy failed`	Token claims (audience, principal tags, or request tags) don't satisfy the configured `allowedAudiences`, `allowedPrincipalTags`, or `allowedRequestTags`
`OutboundWebIdentityFederationDisabledException`	AWS Outbound Identity Federation is not enabled in IAM Account settings

Security Considerations

Each token is short-lived and tied to the agent's IAM role identity. Tokens cannot be replayed beyond their expiry.
Use allowedPrincipalTags and allowedRequestTags to enforce that only agents with specific IAM tags can authenticate. This is the primary access control mechanism for this method.
The allowedAudiences constraint prevents tokens issued for other services from being used to authenticate to the Trust Domain Server.

Attributes available for SVID issuance​

Prerequisites​

How to Deploy​

Step 1 — Update trust domain configuration​

Server Configuration Reference​

Step 2 — Verify​

Security Considerations​