Skip to content
Latchkey

What Is OIDC Token Exchange? Swapping Identity for Short-Lived Access

OIDC token exchange lets a CI pipeline present a signed identity token and receive a short-lived cloud credential in return, eliminating stored secrets.

The old way to let a pipeline deploy to the cloud was to store a long-lived cloud key as a CI secret, a value that could leak and worked forever. OIDC token exchange replaces that. The CI provider issues a signed identity token, the cloud verifies it and trusts the provider, and hands back a short-lived credential. No standing secret ever changes hands.

The handshake

  • The CI provider mints a signed OIDC token describing the job.
  • The pipeline presents it to the cloud (AWS, GCP, Azure).
  • The cloud verifies the signature and the token's claims.
  • It returns a short-lived, scoped credential for that job.

Why it removes the stored secret

The cloud trusts the CI provider as an identity provider, not a particular key you stored. The pipeline proves who it is each run, so there is no long-lived cloud key sitting in CI secrets to leak. The credential it receives lives only for the job.

Trust through claims

The OIDC token carries claims: which repo, which branch, which workflow. The cloud's trust policy can require specific claims, so only your main branch in your repo can assume a deploy role. This binds access to exactly the right pipeline context.

Why it is a big deal

It collapses two hard problems, secret storage and secret rotation, into nothing. There is no secret to store and none to rotate, because the credential is ephemeral and identity-based. It is the cleanest answer to cloud access from CI.

The token must come from a trusted runner

The whole model rests on the identity token being authentic. It must be issued for a real, untampered job, which is why running on a trusted, isolated build environment matters: an attacker who controlled the runner could try to obtain tokens for jobs that are not really yours.

Key takeaways

  • OIDC token exchange trades a signed identity token for a short-lived cloud credential.
  • It removes the stored long-lived cloud key, so there is nothing durable to leak.
  • Trust policies key on token claims (repo, branch) to bind access to the right job.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →