Configure an AWS OIDC Identity Provider and IAM Role
- Last Updated: June 30, 2026
- 2 minute read
- Automate MFT
- Documentation
To use OIDC with the S3 (AWS) authentication method, perform the following tasks in your AWS console.
Create an OIDC Identity Provider
- Open the AWS IAM console.
- Navigate to Identity Providers and create a new provider.
- Configure the provider as follows:
- Provider Type: OpenID Connect
- Provider URL: Specify the URL of the Automate MFT OIDC server
- US environment:
https://oidc.us.mft.progress.com/v1 - EU environment:
https://oidc.eu.mft.progress.com/v1
- US environment:
- Audience:
sts.amazonaws.com
- Save the identity provider.
Create an IAM role
- Open the AWS IAM console.
- Navigate to Roles and create a new role.
- Grant your new role the required permissions to access the S3 bucket that Automate MFT will use.
- Open the Trust relationships tab and configure the
trust policy as follows:
- Trust the identity provider you created earlier.
- Allow the
sts:AssumeRoleWithWebIdentityaction for tokens issued by the Automate MFT OIDC server.The following is an example of a trust policy configured to work with Automate MFT:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "<your-provider-arn>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "<automate-mft-oidc-server-url>:aud": "sts.amazonaws.com" }, "StringLike": { "<automate-mft-oidc-server-url>:sub": [ "tenant_id:<automate-mft-tenant-id>:task_id:*:task_name:*:endpoint_id:*:endpoint_name:*:agent_id:*:agent_name:*:agent_pool_id:*:agent_pool_name:*" ] } } } ] }In this example, the following parameters are used:<your-provider-arn>– The ARN of the identity provider created in Step 1.<automate-mft-oidc-server-url>– The Automate MFT OIDC server URL:https://oidc.us.mft.progress.com/v1https://oidc.eu.mft.progress.com/v1
<automate-mft-tenant-id>– Your Automate MFT tenant ID.
- Save the role.
Security considerations
The trust policy must include a condition that validates the sub claim and verifies that it contains yourAutomate MFT tenant ID. This ensures that only tokens issued for your Automate MFT tenant can assume the role.
For additional security, you can further restrict access by validating one or more of
the following fields:
task_id– The Automate MFT task ID.endpoint_id– The Automate MFT endpoint ID.endpoint_name– The Automate MFT endpoint name.agent_id– The Automate MFT agent ID.agent_name– The Automate MFT agent name.agent_pool_id– The Automate MFT agent pool ID.agent_pool_name– The Automate MFT agent pool name.
Important: When specifying values for any of these
fields in a trust policy condition, URL-encode the values before adding them to the
policy. For example, if an endpoint is named
my
endpoint, specify the value as my%20endpoint in the
trust policy.