Configure OpenID Connect in AWS to retrieve temporary credentials not working

Hi guys,

I followed this document to configure oidc in aws to retrieve temporary credentials but somehow it didn’t work.
Here is the error message:

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience

This is my role trust relationships config:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxxxx:oidc-provider/git.abc.cloud"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "git.abc.cloud:sub": "project_path:mygroup/myproject:ref_type:branch:ref:*"
                }
            }
        }
    ]
}

Can anyone know what should I correct or check here?

Thanks,

1 Like

Getting the same errror here trying to setup a deployment to AWS from a project on https.gitlab.com via OIDC.

I’m not sure helpful or not…
in case of SaaS(gitlab.com), this role worked as well. yap, it requres identity provider(openid).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::xxxxxx:oidc-provider/gitlab.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "gitlab.com:aud": "https://gitlab.com"
                }
            }
        }
    ]
}

and .gitlab-ci.yml

  script:
    - STS=$(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token "${CI_JOB_JWT_V2}"
      --duration-seconds 3600 )
    - export AWS_ACCESS_KEY_ID=$(echo ${STS} | jq -r .Credentials.AccessKeyId)
    - export AWS_SECRET_ACCESS_KEY=$(echo ${STS} | jq -r .Credentials.SecretAccessKey)
    - export AWS_SESSION_TOKEN=$(echo ${STS} | jq -r .Credentials.SessionToken)
    - aws s3 ls