The latest articles on DEV Community by Vijay Mourya (@vjmourya). https://dev.to/vjmourya https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1066915%2F8968dfb2-50f7-4e3f-932d-00f1fcb99bc3.JPG https://dev.to/vjmourya en Vijay Mourya Mon, 01 Sep 2025 16:52:56 +0000 https://dev.to/vjmourya/authenticate-gitlab-pipelines-to-aws-with-oidc-no-static-keys--4apd https://dev.to/vjmourya/authenticate-gitlab-pipelines-to-aws-with-oidc-no-static-keys--4apd <h2> 🚀 Goodbye Static AWS Keys, Hello GitLab OIDC </h2> <p>Be honest — have you ever stored <strong>AWS keys in GitLab CI/CD variables</strong> and then thought:</p> <ul> <li>"What if someone leaks these keys?" </li> <li>"How do I rotate them across projects?" </li> </ul> <p>Yeah… we’ve all been there. </p> <p>Luckily, AWS + GitLab have a much better way: <strong>OIDC authentication</strong>. </p> <p>With OIDC, your GitLab jobs can request <strong>short-lived AWS credentials on the fly</strong>. No static keys. No rotation pain. More security. 🎉 </p> <h2> 🗺 The Big Picture </h2> <p>Here’s the 30-second flow of what happens when a GitLab pipeline hits AWS using OIDC:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flpsllulttebc5k0p2zzp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flpsllulttebc5k0p2zzp.png" alt="OIDC auth flow" width="800" height="533"></a></p> <h2> 🔑 Why OIDC Rocks </h2> <ul> <li> <strong>Short-lived creds</strong> (expire ~1h, customizable TTL).</li> <li> <strong>Scoped</strong> (repo + branch conditions).</li> <li> <strong>No stored secrets</strong>.</li> <li> <strong>Works with <em>any</em> GitLab repo</strong>.</li> </ul> <h2> ✅ Step 0 — Prerequisites </h2> <ul> <li>AWS account (IAM admin).</li> <li>GitLab.com repo (works with self-hosted if OIDC enabled).</li> <li>GitLab version <strong>15.7+</strong> (needed for <code>id_tokens:</code>).</li> <li>AWS CLI v2 in your runner/job.</li> <li>(Optional) Terraform for IaC.</li> </ul> <h2> 🏗 Step 1 — Add OIDC Identity Provider in AWS </h2> <p>👉 In <strong>IAM → Identity providers → Add</strong>:</p> <ul> <li>Type: <code>OpenID Connect</code> </li> <li>URL: <code>https://gitlab.com</code> (or self-hosted URL)</li> <li>Audience: <code>https://gitlab.com</code> </li> </ul> <p>Terraform snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://gitlab.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"https://gitlab.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"</span><span class="p">]</span> <span class="c1"># GitLab CA</span> <span class="p">}</span> </code></pre> </div> <h2> 🛡 Step 2 — Create IAM Role + Trust Policy </h2> <p>Trust only the repo + branch you want. Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;ACCOUNT_ID&gt;:oidc-provider/gitlab.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"gitlab.com:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://gitlab.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"gitlab.com:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"project_path:mygroup/myrepo:ref_type:branch:ref:main"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> ⚙️ Step 3 — Ask for a Token in GitLab CI Job </h2> <p>In <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli:2.15.0</span> <span class="na">id_tokens</span><span class="pi">:</span> <span class="na">OIDC_TOKEN</span><span class="pi">:</span> <span class="na">aud</span><span class="pi">:</span> <span class="s">https://gitlab.com</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws sts assume-role-with-web-identity \</span> <span class="s">--role-arn "arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/gitlab-oidc-role" \</span> <span class="s">--role-session-name "gl-$CI_PROJECT_ID-$CI_PIPELINE_ID" \</span> <span class="s">--web-identity-token "$OIDC_TOKEN" \</span> <span class="s">--duration-seconds 3600 &gt; creds.json</span> <span class="pi">-</span> <span class="s">export AWS_ACCESS_KEY_ID=$(jq -r .Credentials.AccessKeyId creds.json)</span> <span class="pi">-</span> <span class="s">export AWS_SECRET_ACCESS_KEY=$(jq -r .Credentials.SecretAccessKey creds.json)</span> <span class="pi">-</span> <span class="s">export AWS_SESSION_TOKEN=$(jq -r .Credentials.SessionToken creds.json)</span> <span class="pi">-</span> <span class="s">aws sts get-caller-identity</span> </code></pre> </div> <h2> 🔐 Step 4 — Safer: Token File Method </h2> <p>Instead of exporting keys, use AWS SDK auto-assume:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli:2.15.0</span> <span class="na">id_tokens</span><span class="pi">:</span> <span class="na">OIDC_TOKEN</span><span class="pi">:</span> <span class="na">aud</span><span class="pi">:</span> <span class="s">https://gitlab.com</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "$OIDC_TOKEN" &gt; /tmp/web_identity_token</span> <span class="pi">-</span> <span class="s">export AWS_ROLE_ARN="arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/gitlab-oidc-role"</span> <span class="pi">-</span> <span class="s">export AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/web_identity_token"</span> <span class="pi">-</span> <span class="s">export AWS_ROLE_SESSION_NAME="gl-$CI_PROJECT_ID"</span> <span class="pi">-</span> <span class="s">aws sts get-caller-identity</span> <span class="pi">-</span> <span class="s">aws s3 ls s3://my-bucket</span> </code></pre> </div> <h2> 🧪 Step 5 — Test &amp; Tighten </h2> <ul> <li>Run pipeline → check <code>aws sts get-caller-identity</code>.</li> <li> <p>Lock trust policy:</p> <ul> <li>Allow only <code>tags</code> or <code>release/*</code>.</li> <li>Use <code>StringLike</code> for wildcards.</li> </ul> </li> <li><p>Attach <strong>least-privilege IAM policies</strong>.</p></li> </ul> <h2> 🛠 Troubleshooting </h2> <ul> <li> <strong>AccessDenied</strong> → condition mismatch (<code>aud</code> or <code>sub</code>).</li> <li> <strong>Verification key error</strong> → wrong issuer URL.</li> <li> <strong>Empty OIDC token</strong> → forgot <code>id_tokens:</code> block.</li> </ul> <h2> 🔒 Best Practices </h2> <ul> <li>Prefer token-file method.</li> <li>Scope trust (repo + ref).</li> <li>Separate roles per env (dev/prod).</li> <li>Audit with CloudTrail.</li> </ul> <h2> 🎉 Wrapping Up </h2> <p>You just kicked static AWS keys out of your GitLab pipelines.</p> <p>✅ Short-lived creds.<br> ✅ Branch/repo scoped trust.<br> ✅ No secret storage.</p> <p>Now your team can deploy to AWS with confidence. 🚀</p> aws gitlab security cloud