Hello,
IAM is able to delegate authentication to an external identity provider through OIDC (Creating OpenID Connect (OIDC) identity providers - AWS Identity and Access Management).
I tried to define gitlab as an external Identity provider in order to be able to authenticate to IAM using CI_JOB_TOKEN
.
I created an IAM role with OIDC, then set AWS_ROLE_ARN
and dump CI_JOB_TOKEN
to a file and point AWS_WEB_IDENTITY_TOKEN_FILE
to it.
When I run aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name test --web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE --duration-seconds 1000
, I get this error: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Missing a required claim: aud
.
Indeed, CI_JOB_TOKEN
does not contain any aud
claim.
My goal is to achieve this: Authenticating and reading secrets with HashiCorp Vault | GitLab but without having to deploy HashCorp Vault.
Is there something I misunderstand in OIDC (which is totally possible) and what I’m trying to do is completely dumb?
It would be nice to be able to authenticate Gitlab CI jobs towards IAM without having to deploy Hashicorp Vault.