Bitbucket OIDC Token Not Available - oidc: true Missing
OIDC lets a step assume a cloud role without long-lived keys, but the identity token is only minted when the step sets oidc: true. Without it, the token variable is empty and the cloud login fails.
What this error means
A step that exchanges an OIDC token for cloud credentials fails because BITBUCKET_STEP_OIDC_TOKEN is empty, or the cloud rejects the token’s issuer/audience/subject. The provider trust or the oidc: true flag is missing.
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithWebIdentity operation: Couldn't retrieve verification
key from your identity provider.Common causes
Step did not enable OIDC
The identity token is only generated when the step declares oidc: true. Without it, BITBUCKET_STEP_OIDC_TOKEN is unset and there is nothing to exchange.
Cloud trust policy does not match
The cloud provider must trust Bitbucket’s OIDC issuer and the configured audience/subject. A mismatched audience, issuer URL, or subject claim makes the provider reject the token.
How to fix it
Enable OIDC on the step and exchange the token
Set oidc: true and pass the token to the cloud login.
- step:
oidc: true
script:
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo "$BITBUCKET_STEP_OIDC_TOKEN" > "$AWS_WEB_IDENTITY_TOKEN_FILE"
- aws sts assume-role-with-web-identity --role-arn "$ROLE_ARN" --role-session-name bb --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN"Configure provider trust correctly
- Register Bitbucket’s OIDC issuer URL with the cloud identity provider.
- Set the audience the cloud expects and scope the role trust to your workspace/repo subject.
- Confirm the role’s trust policy matches the token’s claims.
How to prevent it
- Add
oidc: trueto every step that uses an identity token. - Keep the cloud trust policy’s issuer and audience aligned with Bitbucket.
- Prefer OIDC over stored cloud keys to avoid long-lived secrets.