Implement OIDC Support for AWS Route53

[JohnLBevan]

Is your feature request related to a problem? Please describe.
AcmeBot runs in Azure but needs to access resources in AWS to manage DNS there.
Today that's done via an IAM user's credentials; however many organisations are dropping IAM users in favour of OIDC (Open ID Connect) with IAM roles. That means that instead of managing secrets, managed identities / the identity of the resource requiring access is allowed to assume a role that says what permissions it should have, and that resource proves itself by using its own provider which is trusted by the remote party, instead of requiring credentials/secrets as proof.

Describe the solution you'd like
Implement the option to authenticate to AWS using the function app's managed identity when using the AWS Provider.

Describe alternatives you've considered
n/a

Additional context
Currently this is just a nice to have for me; but I suspect there will come a time when many orgs have policies which make OIDC mandatory for these scenarios as they do away with IAM users.

[shibayan]

I believe we could handle this if we had verification code that operates AWS resources via OIDC from Managed Identity.

To my knowledge, Managed Identity does not issue id_tokens, so I don't think this can be achieved.

[JohnLBevan]

This isn't an area I've had much experience in yet, so I can't say much. The below posts outline how an MI could be granted access to manage AWS resources via an Entra app, with AWS configured to trust Entra as an OIDC IdP; but likely there's subtleties I've missed.

• https://aws.amazon.com/blogs/security/how-to-access-aws-resources-from-microsoft-entra-id-tenants-using-aws-security-token-service/
• https://medium.com/data-science/how-to-connect-azure-ad-managed-identities-to-aws-resources-9353f3309efb

I have quite a backlog atm, but if I get some time in the next few months I can try to create a POC for this / potentially may have capacity next year to submit a PR if I can get something working.
Happy for this issue to be closed if you don't think it's possible and don't think you'll have time to investigate further; if I'm able to do something I can update this issue if it's still open, or can submit a new one with the PR if I manage to implement something.