AWS Role Assumption from a GCP VM

Now with terraform!

GCP -> AWS Role assumption

Didn’t AWS write a Blog on This?

Yes, right here. And someone wrote a Medium article on how to do it here, but there are a few things I think worth calling out/explaining:

• How JWTs work and are encoded in this context
• How the trust relationship is created via attributes of the JWT
• How to create this trust relationship with a Terraform file

How JWTs Work

A JSON Web Token (JWT) is a way to send information in a way that can be verified by the caller, i.e. you can tell if the token has been tampered with.

If you look at a JWT they are essentially three parts:

1. A header
2. A payload
3. A verifications signature (a hash of the other two sections with a private key)

There’s a great interactive playground on jwt.io you can use to go back and forth between the two formats (the base64urlencoded and the unencoded pieces).