Amazon Kendra will no longer be open to new customers starting on July 30, 2026. If you would like to use the service, please sign up prior to July 30. For capabilities similar to Amazon Kendra, explore Amazon Bedrock Knowledge Bases. Learn more.
Using OpenID
To configure an Amazon Kendra index to use an OpenID token for access control, you need
the JWKS (JSON Web Key Set) URL from the OpenID provider. In most cases the JWKS URL is in the
following format (if they're following openId discovery)
https://domain-name/.well_known/jwks.json.
The following examples show how to use an OpenID token for user access control when you
create an index.
- Console
-
-
Choose Create index to start creating a new index.
-
On the Specify index details page, give your index a name and a
description.
-
For IAM role, select a role or select
Create a new role to and specify a role name to create a new role. The
IAM role will have the prefix "AmazonKendra-".
-
Leave all of the other fields at their defaults. Choose
Next.
-
In the Configure user access control page, under Access
control settings, choose Yes to use tokens for access
control.
-
Under Token configuration, select OpenID as
the Token type.
-
Specify a Signing key URL. The URL should point to a set of JSON
web keys.
-
Optional Under Advanced
configuration:
-
Specify a Username to use in the ACL check.
-
Specify one or more Groups to use in the ACL check.
-
Specify the Issuer that will validate the token issuer.
-
Specify the Client Id(s). You must specify a regular expression
that match the audience in the JWT.
-
In the Provisioning details page, choose Developer
edition.
-
Choose Create to create your index.
-
Wait for your index to be created. Amazon Kendra provisions the hardware for your
index. This operation can take some time.
- CLI
-
To create an index with the AWS CLI using a JSON input file, first create a
JSON file with your desired parameters:
{
"Name": "user-context",
"Edition": "ENTERPRISE_EDITION",
"RoleArn": "arn:aws:iam::account-id:role:/my-role",
"UserTokenConfigurations": [
{
"JwtTokenTypeConfiguration": {
"KeyLocation": "URL",
"Issuer": "optional: specify the issuer url",
"ClaimRegex": "optional: regex to validate claims in the token",
"UserNameAttributeField": "optional: user",
"GroupAttributeField": "optional: group",
"URL": "https://example.com/.well-known/jwks.json"
}
}
],
"UserContextPolicy": "USER_TOKEN"
}
You can override the default user and group field names. The default value for
UserNameAttributeField is "user". The default value for
GroupAttributeField is "groups".
Next, call create-index using the input file. For example, if the name of
your JSON file is create-index-openid.json, you can use the following:
aws kendra create-index --cli-input-json file://create-index-openid.json
- Python
-
response = kendra.create_index(
Name='user-context',
Edition='ENTERPRISE_EDITION',
RoleArn='arn:aws:iam::account-id:role:/my-role',
UserTokenConfigurations=[
{
"JwtTokenTypeConfiguration": {
"KeyLocation": "URL",
"Issuer": "optional: specify the issuer url",
"ClaimRegex": "optional: regex to validate claims in the token",
"UserNameAttributeField": "optional: user",
"GroupAttributeField": "optional: group",
"URL": "https://example.com/.well-known/jwks.json"
}
}
],
UserContextPolicy='USER_TOKEN'
)