Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIdentity STS API

With web identity federation, you don’t need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account.


  • Cyberduck 8.7.0 or later required

  • Mountain Duck 4.15.0 or later required

Connection profiles must include the OAuth Authorization Url, OAuth Token Url, OAuth Redirect Url and Scopes of the OpenID Connect (OIDC) identity provider and the STS Endpoint for the STS API endpoint which defaults to Set the property s3.assumerole.rolearn in the connection profile to the Role ARN configured in AWS. Set it to s3.assumerole.rolearn= for a prompt to enter on login.


  • Register the OAuth Client ID with your identity provider (IdP)

  • Configure the OIDC provider in AWS IAM or compatible implementation like MinIO Security Token Service (STS)

  • Make sure to restrict access by configuring the role and trust policy using rules referencing the claims available in the JWT token from the identity provider that is passed to AssumeRoleWithWebIdentity STS API.


Refer to Sample connection profiles for S3 and OpenID Connect Federation

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
        <key>OAuth Authorization Url</key>
        <key>OAuth Token Url</key>
        <key>OAuth Client ID</key>
        <key>OAuth Client Secret</key>
        <key>OAuth Redirect Url</key>
        <key>OAuth PKCE</key>
        <key>Password Configurable</key>
        <key>Username Configurable</key>
        <key>Token Configurable</key>
        <key>Username Placeholder</key>
        <key>STS Endpoint</key>