CircleCI OIDC
Definition
CircleCI OIDC (OpenID Connect) is a feature that allows CircleCI jobs to authenticate with cloud providers and other services using short-lived, automatically managed tokens. This enhances security by eliminating the need for long-lived static credentials in your CI/CD pipelines. OIDC tokens are dynamically generated and scoped to specific jobs, reducing the risk of credential leakage and unauthorized access.
Secure Settings Example
version: 2.1
executors:
my-executor:
docker:
- image: circleci/python:3.8
jobs:
deploy:
executor: my-executor
steps:
- checkout
- run:
name: Authenticate with AWS using OIDC
command: |
aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::123456789012:role/CircleCIRole \
--role-session-name CircleCISession \
--web-identity-token $CIRCLE_OIDC_TOKEN \
--duration-seconds 3600
Insecure Settings Example
version: 2.1
executors:
my-executor:
docker:
- image: circleci/python:3.8
jobs:
deploy:
executor: my-executor
steps:
- checkout
- run:
name: Authenticate with AWS using static credentials
command: |
aws configure set aws_access_key_id YOUR_ACCESS_KEY_ID
aws configure set aws_secret_access_key YOUR_SECRET_ACCESS_KEY