Skip to main content
Version: 2024

Token certificates in AWS

Introduction to token certificates in AWS

When Indicium is used as an OpenID server, it must add a signature to the access token to prove that it was created by an authorized Indicium instance. Indicium automatically creates a certificate that is used to sign the access token if OpenID clients are configured in IAM.

By default, Indicium stores this certificate locally, on the web server. In the case of a single Indicium instance (i.e. not load-balanced) this will work fine. However, when there are multiple instances of Indicium, the certificate must be stored elsewhere, since all servers must use the same certificate. If not, the access tokens created by instance A will not be authorized by instance B (or vice versa). Should the certificate be lost or replaced, all access keys will become unusable, but they can be easily requested again by the third party.

This manual describes how to centralize the storage of this certificate in AWS.

Sign certificates on AWS

When using Indicium as an OpenID Server on AWS, Indicium can store the Server certificate in the AWS Secrets Manager.

To give the Elastic BeanStalk EC2 instance access to the Indicium OpenID Server certificate:

  1. In your Elastic Beanstalk EC2 instance, select the Security tab.

  2. Click the Identity and Access Management (IAM) link.

  3. Click Add permissions.

  4. Click Create inline policy.

  5. In the JSON tab, paste the JSON code fragment below.

  6. Click Save to save the new policy. Indicium can now access the AWS Secrets manager.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret"
            ],
            "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-prefix>-*"
        }
    ]
}

In the above JSON code fragment:

  • Replace region with, for example, “eu-west-1”.
  • Replace account-id with your account number.
  • Replace secret-prefix with the prefix you want your OpenID Server certifcate in the Secrets Manager to be named.

For example, if your prefix is “indicium/openid-server-test”, you should give access to “indicium/openid-server-test-*” with the wildcard character.

  1. In the appsettings.json configuration file, add the following code:
  "OpenIDServerSigningSettings": {
    "AwsSecretManager": {
      "SecretName": "indicium/openid-server-test"
    }
  }

Was this page helpful?