Using OIDC with AWS and aws orbs

andrei-dascalu · January 26, 2023, 10:22am

Hello,

I’ve followed the steps at Using OpenID Connect identity tokens to authenticate jobs with cloud providers | CircleCI to setup a pipeline that would use AWS OIDC to assume an AWS role.

My config looks like this:

version: 2.1

parameters:
  target_tag:
    type: string
    default: ""

orbs:
  aws-ecr: circleci/aws-ecr@8.2.1
  aws-ecs: circleci/aws-ecs@3.2
  aws-cli: circleci/aws-cli@3.1


jobs:
  oicd-login:
    executor: aws-cli/default
    steps:
      - aws-cli/install
      - aws-cli/setup:
          role-arn: "<my role arn that uses CircleCI OIDC connector>"
          aws-region: AWS_REGION
          profile-name: "OIDC-PROFILE"
          role-session-name: “deployment-session”
          session-duration: "1800"

workflows:
  build-and-deploy:
    jobs:
      - oicd-login:
          context:
            - my-context

Now, my build and deploy which currently contains just the oicd login job fails with “OIDC Token cannot be found. A CircleCI context must be specified.”. What am I missing here? It looks to be the same as per tutorial, as the install steps ensures aws cli is available. Logs are showing that the orb would try to do the assume role bit but it’s missing the “CIRCLE_OIDC_TOKEN” variable which it’s supposed to exist?

zmarkan · January 26, 2023, 10:37am

Hi @andrei-dascalu, could you please double check that you don’t have a typo in the context name by any chance?
Alternatively you can check in the job log, the 2nd step - Preparing environment variables should list it at the bottom - like this CIRCLE_OIDC_TOKEN=**REDACTED**

Hope this helps!

andrei-dascalu · January 26, 2023, 11:57am

Thanks a lot for replying @zmarkan
I don’t have anything mentioning CIRCLE_OIDC_TOKEN in the preparing environment variables bit.
Is there something else that needs to be enabled for this to be used ?

zmarkan · February 1, 2023, 4:34pm

this token will be automatically added if you include a valid context with the job in the workflow. It doesn’t have to have any secrets stored, just needs to be a context that exists in your org.

My guess is that you don’t have a context created in the org called my-context so it’s ignoring it.