Simplify access to external services using AWS IAM Outbound Identity Federation
AWS News Blog
This article announces AWS IAM Outbound Identity Federation, a new capability enabling secure access to external services using short-lived JWTs instead of long-term credentials.
- Exchange AWS IAM credentials for short-lived JSON Web Tokens (JWTs) to authenticate with external services
- Eliminates security risks associated with storing long-term API keys and passwords
- AWS STS GetWebIdentityToken API generates cryptographically signed JWTs asserting AWS identity
- External services verify token authenticity using AWS's public JWKS endpoint
- Configure IAM permissions with sts:GetWebIdentityToken to enable token generation
- Supports ES384 and RS256 signing algorithms with configurable token lifetime (60 seconds to 1 hour)
- Includes standard OIDC claims plus AWS-specific metadata like account ID and principal tags
- Available at no additional cost in all AWS commercial, GovCloud, and China regions
AWS IAM Outbound Identity Federation simplifies multi-cloud and external service integration by enabling secure, credential-free authentication through short-lived identity tokens.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Nov 20
2025
2025
AWS IAM enables identity federation to external services using JSON Web Tokens (JWTs)
Nov 13
2025
2025
Securely accessing external accounts with AWS IAM Identity Center
Oct 23
2024
2024
AWS IAM Identity Center simplifies calls to AWS services with single identity context
Jul 12
2024
2024
AWS Identity and Access Management simplifies management of OpenID Connect identity providers
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.