Using OIDC with AWS and aws orbs

andrei-dascalu · January 26, 2023, 10:22am

Hello,

I’ve followed the steps at Using OpenID Connect identity tokens to authenticate jobs with cloud providers | CircleCI to setup a pipeline that would use AWS OIDC to assume an AWS role.

My config looks like this:

version: 2.1

parameters:
  target_tag:
    type: string
    default: ""

orbs:
  aws-ecr: circleci/aws-ecr@8.2.1
  aws-ecs: circleci/aws-ecs@3.2
  aws-cli: circleci/aws-cli@3.1


jobs:
  oicd-login:
    executor: aws-cli/default
    steps:
      - aws-cli/install
      - aws-cli/setup:
          role-arn: "<my role arn that uses CircleCI OIDC connector>"
          aws-region: AWS_REGION
          profile-name: "OIDC-PROFILE"
          role-session-name: “deployment-session”
          session-duration: "1800"

workflows:
  build-and-deploy:
    jobs:
      - oicd-login:
          context:
            - my-context

Now, my build and deploy which currently contains just the oicd login job fails with “OIDC Token cannot be found. A CircleCI context must be specified.”. What am I missing here? It looks to be the same as per tutorial, as the install steps ensures aws cli is available. Logs are showing that the orb would try to do the assume role bit but it’s missing the “CIRCLE_OIDC_TOKEN” variable which it’s supposed to exist?

zmarkan · January 26, 2023, 10:37am

Hi @andrei-dascalu, could you please double check that you don’t have a typo in the context name by any chance?
Alternatively you can check in the job log, the 2nd step - Preparing environment variables should list it at the bottom - like this CIRCLE_OIDC_TOKEN=**REDACTED**

Hope this helps!

andrei-dascalu · January 26, 2023, 11:57am

Thanks a lot for replying @zmarkan
I don’t have anything mentioning CIRCLE_OIDC_TOKEN in the preparing environment variables bit.
Is there something else that needs to be enabled for this to be used ?

zmarkan · February 1, 2023, 4:34pm

this token will be automatically added if you include a valid context with the job in the workflow. It doesn’t have to have any secrets stored, just needs to be a context that exists in your org.

My guess is that you don’t have a context created in the org called my-context so it’s ignoring it.

mikevm · June 3, 2023, 9:14pm

@zmarkan I’m having this same problem. The CIRCLE_OIDC_TOKEN environment variable has been present and working for several months, and just a few days ago it stopped being present in the list of environment variables. I confirmed that the context exists, and git blame tells me there hasn’t been any interesting changes to my CircleCI config in some time.

Is there anything else that needs to happen for CircleCI to provide the token? We haven’t made any changes to our AWS Identity Provider either.

We aren’t using any of those orbs; our build job installs the AWS CLI as an explicit run step. This has been working fine as well for several months, but I am looking for confirmation that the orb isn’t required to make the CIRCLE_OIDC_TOKEN env var available.

mikevm · June 3, 2023, 9:35pm

BTW, I confirmed that the context in question (called vm-aws), is being used by the job, because I added an arbitrary environment variable to it, and confirmed that the variable shows up in the build. So it seems that just “having a context” is insufficient to get the CIRCLE_OIDC_TOKEN to appear.

mikevm · June 7, 2023, 2:12pm

After opening a support ticket, this issue is resolved.

From an email I received from CircleCI, for any future readers of this thread:

there are chances in which the token will not be present in the Environment Variable step but still work as expected