Which combination of steps will meet these requirements?
(Choose three.)
Configure AWS IAM Identity Center (AWS Single Sign-On). Configure an IdP. Upload the IdP metadata from the existing IdP.
Create an IAM IdP by using the provider URL, audience, and signature from the existing IP.
Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role’s trust policy to allow the OIDC IP to assume the role if the sts.amazon.com:aud context key is appid_from_idp.
Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role’s trust policy to allow the OIDC IP to assume the role if the auth.company.com:aud context key is appid_from_idp.
Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.
Configure the web application to use the GetFederationToken API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.
Explanations:
AWS IAM Identity Center (AWS SSO) is not necessary for this use case as it primarily manages user access across multiple AWS accounts and applications. The scenario specifically requires using an existing IdP for OpenID Connect (OIDC) authentication, which can be achieved through IAM roles and OIDC providers directly.
Creating an IAM identity provider (IdP) with the provider URL, audience, and signature from the existing IdP is essential for integrating OIDC with AWS. This allows AWS to recognize the IdP as a valid authentication source, enabling the application to authenticate users through it.
The trust policy for the IAM role must allow the OIDC IdP to assume the role based on the specific audience context key, which is typicallyauth.company.com:aud. The provided option incorrectly specifiessts.amazon.com:aud, which is not the correct context key for the trust policy related to OIDC.
The trust policy for the IAM role must allow the OIDC IdP (auth.company.com) to assume the role when the audience context key is set to the application ID from the IdP. This is crucial for the role assumption process and aligns with the OIDC integration.
The web application must use the AssumeRoleWithWebIdentity API operation to retrieve temporary AWS credentials using the OIDC tokens received from the IdP. This is the standard method for applications using OIDC to access AWS resources securely.
The GetFederationToken API operation is used with AWS’s own user credentials and does not apply to OIDC users. For OIDC, the correct method to obtain temporary credentials is through the AssumeRoleWithWebIdentity API, making this option incorrect for the stated requirement.