How to Authenticate CircleCI to AWS with OIDC
CircleCI issues an OIDC token (CIRCLE_OIDC_TOKEN) you exchange for short-lived AWS credentials - no static keys.
When a job runs in a context, CircleCI sets $CIRCLE_OIDC_TOKEN. Pass it to aws sts assume-role-with-web-identity to get temporary credentials.
Assume a role with the OIDC token
The job runs in a context (which enables the token), then exchanges it for AWS credentials.
.circleci/config.yml
jobs:
deploy:
docker:
- image: cimg/aws:2024.03
steps:
- run: |
CREDS=$(aws sts assume-role-with-web-identity \\
--role-arn "$AWS_ROLE_ARN" \\
--role-session-name "circleci-$CIRCLE_WORKFLOW_ID" \\
--web-identity-token "$CIRCLE_OIDC_TOKEN" \\
--query Credentials --output json)
export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r .AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r .SecretAccessKey)
export AWS_SESSION_TOKEN=$(echo "$CREDS" | jq -r .SessionToken)
aws s3 lsGotchas
$CIRCLE_OIDC_TOKENis only set when the job runs inside a context - attach one in the workflow.- The IAM trust policy
submust matchorg/<org-id>/project/<project-id>/...; copy the exact value from CircleCI org settings. - The token audience is your CircleCI organization ID - set it as the
audcondition in the trust policy.
Related guides
How to Use OIDC to Authenticate GitHub Actions to AWSAuthenticate GitHub Actions to AWS with OIDC - no long-lived secrets. Set up the IAM role, trust policy, and…
How to Authenticate GitLab CI to AWS with OIDCAuthenticate GitLab CI to AWS with OIDC - request an ID token with the id_tokens keyword and assume an IAM ro…