J
member badge
Johannes Rudolph
meshStack's AWS integration for IAM Identity Center requires a SCIM token to manage groups and memberships. This approach presents two significant security challenges:
  • Violation of Least Privilege: The SCIM token is overly permissive. It grants meshStack permissions beyond its actual needs (e.g., onboarding or modifying users), when it only needs to manage group creation and memberships.
  • Requires manual/semi-automated secret rotation of the SCIM token
AWS SCIM API only supports bearer tokens. This is a documented AWS limitation
> IAM Identity Center SCIM implementation supports the bearer HTTP authentication scheme [...] Other authentication schemes described in the SCIM specifications are not supported at this time.
If meshStack would use the AWS Identity Store APIs (e.g., identitystore:CreateGroup, identitystore:AddMemberToGroup, etc.) for its integration with AWS this would enable
  • Enhanced Security (Least Privilege): Customers could attach a granular IAM policy to the role, limiting meshStack only to the specific Identity Store actions it requires.
  • Simplified Operations: This would eliminate the need to securely store, manage, and rotate a long-lived SCIM token for the meshStack integration.
  • Future-Proof (Secret-less): By moving fully to the AWS SDK (for both Identity Store and SSO Admin), we can enable authentication via Workload Identity Federation (WIF), allowing for a completely secret-less integration.