We have a pipeline that runs against AWS. It runs terraform, but thats not really relevant, except for the fact that we want to review the plans.
default:
before_script:
- |
cat <<EOF > $TF_ROOT/override.tf
provider "aws" {
region = $AWS_REGION
assume_role_with_web_identity {
role_arn = $AWS_ROLE_ARN
session_name = "gitlab-pipeline"
web_identity_token = "$GITLAB_OIDC_TOKEN"
}
}
EOF
plan:
stage: build
id_tokens:
GITLAB_OIDC_TOKEN:
aud: $CI_SERVER_HOST
script:
- terraform plan
apply:
stage: deploy
id_tokens:
GITLAB_OIDC_TOKEN:
aud: $CI_SERVER_HOST
script:
- terraform apply
rules:
- when: manual
There is not much to this pipeline and no user control over when things are re-run. It looks, on the surface, like each job is getting its own token.
However, if more than an hour passes between the plan and apply the apply fails with an auth error.
I really would have expected each job to get a fresh jwt, especially as jobs can be retried days later.