Step-by-Step Guide to Setting Up AWS OIDC for Secure CI/CD Integration

Oshaba SamsonOshaba Samson
3 min read

Not too long ago, every time we wanted our CI/CD pipeline to talk to AWS, it felt like setting up a long-distance relationship. IAM users, access keys, and a whole lot of trust. We’d generate those long-lived credentials, hide them in some secret vault, and hope they never got leaked. 😬

But let’s be honest managing static keys in pipelines is risky business. One accidental exposure, and boom 💥 your entire cloud environment could be compromised.

Luckily, AWS had a better plan. It stepped in and said:
“Forget the keys. I’ve got something smarter short-lived tokens with OpenID Connect (OIDC).”

With OIDC, your GitLab pipeline (or any modern CI/CD tool) can securely authenticate with AWS without ever storing sensitive keys. These tokens are ephemeral they disappear after use, reducing your attack surface and simplifying your security posture. 🔐

In this tutorial, I’ll walk you through how to set up OIDC with GitLab and AWS step-by-step

Objective(s)

  • Configure trust between GitLab and AWS using IAM OIDC identity providers

Prerequisite(s)

  • AWS Account

  • Gitlab Account

We will start with aws configuration

  • Login into aws

  • Search for IAM role

  • Click on identity providers

  • Click onOpenID Connect

  • Type the provider url and audience (I used https://gilab.com because I am using shared runner. If you are using self hosted runner then use the domain name of the server)

  • Click on Add Provider

  • Click on role and create new role

  • Click on web identity

  • Click on select identity provider and audience

  • Select the required permission (AdministratorAccess)

  • Click on create next

  • Type the role name

  • Click on create role

  • Click on the role name (gitlab-role)

  • Copy the arn

Create a variable in gitlab

if you don’t know how to do that checkout my previous post How to Securely Store and Use Variables in GitLab Pipelines. use ROLE_ARN as key and the above arn as value

Gitlab-ci

  • create a file .gitlab-ci.yml and paste the following code to test your connectivity
stages:
  - build
  - test

image:
  name: amazon/aws-cli:latest
  entrypoint: [""]

build:
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  stage: build
  before_script:
    - echo "Setting up environment..."
   # install aws cli
    - apk --no-cache add curl python3 py3-pip
    - pip3 install --no-cache-dir awscli --break-system-packages

  # establish connection with AWS to get access credentials
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${GITLAB_OIDC_TOKEN}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
    - aws sts get-caller-identity

  script:
    - echo "Connected to AWS from GitLab and retrieved credentials."
    - echo "Build completed."
0
Subscribe to my newsletter

Read articles from Oshaba Samson directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Oshaba Samson
Oshaba Samson

I am a software developer with 5 years + experience. I have working on web apps ecommerce, e-learning, hrm web applications and many others