Configure OIDC Authentication
OIDC Authentication is currently in Early Access only. Currently, we only support OIDC authentication with AWS, with hopes to expand this to other providers in the future. If you'd like to discuss early access or suggest alternate providers, please contact us at [email protected].
If you choose S3 storage with OIDC authentication, there are a few things you’ll need to set up in AWS before configuring your storage in Whereby.
At a high level, this involves:
Creating an S3 bucket to store recordings and transcriptions
Creating an IAM role that Whereby can assume using OIDC
Granting that role permission to access your S3 bucket
Creating an S3 bucket can be done from the Amazon S3 console page. If S3 isn't presented as an option you can search for it within the services search at the top of the page.
For in depth instructions about bucket naming conventions and settings, please follow the Amazon support guide "Create your first S3 bucket".
Host: This is also known as your Bucket name. No URL is required, you can simply copy and paste your bucket name found in your S3 console.
You’ll need an IAM OpenID Connect provider that matches your OIDC issuer.
Go to IAM.
In the left sidebar, select Identity providers.
Select Add provider (or Create provider).
For Provider type, choose OpenID Connect.
Enter the following details:
Provider URL:
https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_tMvcyDdW4Audience:
427ijsob8u270j7sbil5rbnjj1
Follow the prompts to create the provider
For more in depth information on creating an OIDC identity provider, see this AWS support guide: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
Next you create an IAM role with a trust policy for your OIDC provider, and permissions to your S3 bucket.
In IAM, go to Roles.
Select Create role.
Under Trusted entity type, choose Web identity.
Configure:
Identity provider: select the OIDC provider you created
Audience: select/enter the audience used above
Attach permissions (you can do this either by selecting an existing policy or creating a new one). You'll need the following:
s3:PutObject,s3:GetObject,s3:ListObject
Select Next.
Enter:
Role name: e.g.
WherebyS3StorageRole
Select Create role - and copy this Role ARN from the summary page for later.
For more in depth information on how to create an IAM role for OIDC authentication, see this AWS support: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
The final step is to input these values into your Whereby dashboard:
Visit your organization dashboard
Navigate to the Configure section for either Recordings or Transcriptions
Select "Self-hosted cloud recording", and change "Connection Method" to role-based.
Enter your bucket name (from step 1) and your Role ARN (from step 3)
From here, you can test your connection and then save these credentials to be used during your next Whereby meeting!
Last updated
Was this helpful?