Step-by-Step Guide to Setting Up AWS OIDC for Secure CI/CD Integration


Not too long ago, every time we wanted our CI/CD pipeline to talk to AWS, it felt like setting up a long-distance relationship. IAM users, access keys, and a whole lot of trust. We’d generate those long-lived credentials, hide them in some secret vault, and hope they never got leaked. 😬
But let’s be honest managing static keys in pipelines is risky business. One accidental exposure, and boom 💥 your entire cloud environment could be compromised.
Luckily, AWS had a better plan. It stepped in and said:
“Forget the keys. I’ve got something smarter short-lived tokens with OpenID Connect (OIDC).”
With OIDC, your GitLab pipeline (or any modern CI/CD tool) can securely authenticate with AWS without ever storing sensitive keys. These tokens are ephemeral they disappear after use, reducing your attack surface and simplifying your security posture. 🔐
In this tutorial, I’ll walk you through how to set up OIDC with GitLab and AWS step-by-step
Objective(s)
- Configure trust between GitLab and AWS using IAM OIDC identity providers
Prerequisite(s)
AWS Account
Gitlab Account
We will start with aws configuration
Login into aws
Search for IAM role
- Click on identity providers
Click onOpenID Connect
Type the provider url and audience (I used https://gilab.com because I am using shared runner. If you are using self hosted runner then use the domain name of the server)
- Click on Add Provider
- Click on role and create new role
- Click on web identity
- Click on select identity provider and audience
- Select the required permission (AdministratorAccess)
- Click on create next
- Type the role name
- Click on create role
- Click on the role name (gitlab-role)
- Copy the arn
Create a variable in gitlab
if you don’t know how to do that checkout my previous post How to Securely Store and Use Variables in GitLab Pipelines. use ROLE_ARN as key and the above arn as value
Gitlab-ci
- create a file .gitlab-ci.yml and paste the following code to test your connectivity
stages:
- build
- test
image:
name: amazon/aws-cli:latest
entrypoint: [""]
build:
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://gitlab.com
stage: build
before_script:
- echo "Setting up environment..."
# install aws cli
- apk --no-cache add curl python3 py3-pip
- pip3 install --no-cache-dir awscli --break-system-packages
# establish connection with AWS to get access credentials
- >
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
$(aws sts assume-role-with-web-identity
--role-arn ${ROLE_ARN}
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token ${GITLAB_OIDC_TOKEN}
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text))
- aws sts get-caller-identity
script:
- echo "Connected to AWS from GitLab and retrieved credentials."
- echo "Build completed."
Subscribe to my newsletter
Read articles from Oshaba Samson directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Oshaba Samson
Oshaba Samson
I am a software developer with 5 years + experience. I have working on web apps ecommerce, e-learning, hrm web applications and many others