Hi guys,
I followed this document to configure oidc in aws to retrieve temporary credentials but somehow it didn’t work.
Here is the error message:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience
This is my role trust relationships config:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxx:oidc-provider/git.abc.cloud"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"git.abc.cloud:sub": "project_path:mygroup/myproject:ref_type:branch:ref:*"
}
}
}
]
}
Can anyone know what should I correct or check here?
Thanks,
1 Like
effelow
#2
Getting the same errror here trying to setup a deployment to AWS from a project on https.gitlab.com via OIDC.
susumuf
#3
I’m not sure helpful or not…
in case of SaaS(gitlab.com), this role worked as well. yap, it requres identity provider(openid).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxxxx:oidc-provider/gitlab.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"gitlab.com:aud": "https://gitlab.com"
}
}
}
]
}
and .gitlab-ci.yml
script:
- STS=$(aws sts assume-role-with-web-identity
--role-arn ${ROLE_ARN}
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token "${CI_JOB_JWT_V2}"
--duration-seconds 3600 )
- export AWS_ACCESS_KEY_ID=$(echo ${STS} | jq -r .Credentials.AccessKeyId)
- export AWS_SECRET_ACCESS_KEY=$(echo ${STS} | jq -r .Credentials.SecretAccessKey)
- export AWS_SESSION_TOKEN=$(echo ${STS} | jq -r .Credentials.SessionToken)
- aws s3 ls