►
Description
Helpful Links:
GitLab Sandbox Cloud: https://gitlabsandbox.cloud/cloud
Sample Project: https://cs.gitlabdemo.cloud/jphilbin-group/configure-openid-connect-in-aws
Documentation: https://docs.gitlab.com/ee/ci/cloud_services/aws/
A
Hi,
my
name
is
Jamie
Philbin
and
I'm,
a
Solutions
architect
with
gitlab
today,
I'm
going
to
show
you
how
to
successfully
leverage
openid
connect
to
retrieve
credentials
from
AWS
within
the
gitlab
CI
CD
pipeline
once
you've
followed
my
example:
you'll
have
a
job
that
runs
where
you
have
an
output
of
your
credential
from
AWS
like
shown
here,
let's
get
started
within
gitlab's
documentation.
We've
already
got
a
really
great
tutorial
on
how
to
set
this
up,
and
it's
split
into
three
steps.
First,
we
need
to
add
an
identity
provider
to
AWS.
A
A
We
want
to
navigate
first
to
Identity
providers,
you'll
see
here
that
I've
already
got
gitlab's
demo
Cloud
environment
set
up
as
an
identity
provider,
but
I'll
show
you
what
it
looks
like
if
we
are
going
to
add
gitlab.com
so
under
provider
top,
you
want
to
select
openid
connect
and
under
the
provider
URL
https
gitlab.com
make
sure
to
not
include
a
any
slashes
forward.
Slashes
at
the
end
of
gitlab.com
same
thing
for
the
audience
gitlab.com
we
select
get
thumbprint
and
then
add
provider.
A
Very
quick,
very
easy,
and
now
we've
added
gitlab.com
is
an
identity
provider
with
an
AWS.
Next,
let's
make
a
policy
that
we
want
to
use
with
our
role
to
retrieve
credentials
from
AWS
go
over
to
create
policy.
We
want
to
select
simple
token
service
STS
for
the
actions
allowed.
We
want
to
assume
roll
with
web
identity
and
for
resources,
I'll
just
specify
all
for
demo
purposes
for
the
policy
name
I'm
going
to
give
it
a
name
of
video
oidc
policy
and
create
our
policy.
A
Next,
let's
make
a
web
identity
rule
that
this
policy
will
be
attached
to
go
over
to
create
role
and
under
trusted
entity
type.
We
want
to
select
web
identity,
we've
got
a
selected
provider
and
you'll
see
at
the
bottom.
We've
got:
gitlabs
demo,
Cloud,
environment
and
gitlab.com
as
potential
identity
providers
that
we
added
earlier
I'm,
going
to
select
gitlabs
demo,
Cloud
environment,
same
thing
for
the
audience
and
then
for
permissions
policies.
A
A
These
contents
of
the
ciml,
but
essentially
what
this
is
doing,
is
I've
declared
two
variables:
AWS
default
region
and
AWS
profile,
so
AWS
default
regions
because
specify
which
default
region
we
want
to
use
to
retrieve
our
credential
I've
selected,
Us
East,
one
Northern,
Virginia
and
then
AWS
profile
is
specifying
the
AWS
profile
to
use
self-explanatory
and
we're
setting
that
to
oidc
the
actual
oidc
example
job.
That's
using
the
AWS
CLI
to
interact
with
AWS
services
and
the
ID
tokens
section
this
job.
A
It's
going
to
Define
an
ID
token
that
we're
going
to
call
my
oidc
token,
and
this
is
going
to
be
used
to
actually
authenticate
with
AWS
and
then
in
our
script,
section.
I'm,
writing
the
AWS
STS
caller
identity
command,
and
this
will
retrieve
the
identity
of
the
current
user.
Using
the
web
identity
role.
We
set
up
in
AWS,
so
I'll
commit
these
changes
to
a
pipeline,
but
this
pipeline
is
going
to
fail
and
that's
because
we're
not
done
here,
we
need
to
set
up
a
few
CI
CD
variables.
A
So
once
we
head
to
variables
we'll
get
started
with
adding
these
first
I'm
going
to
add
a
roll
Arn
now
I
could
have
added
this
role,
Arn
to
our
ciml
but
I'm,
putting
it
in
our
project
level,
CI
CD
settings-
and
this
is
basically
a
security
consideration,
project
level
variables
right,
they're
stored
in
gitlab,
but
they're
encrypted
in
Russian
Transit.
So
this
this
is
a
sensitive
secret
and
this
is
just
a
more
secure
way
of
handling
it
within
our
gitlab
project.
Also
right
now,
this
role
the
way
I
have
it
configured.
A
Anybody
with
the
role
Arn
actually
would
be
able
to
use
it
to
retrieve
credentials
from
AWS
and
I'll.
Show
you
a
little
bit
later
how
we
can
lock
that
down,
but
for
now
let's
go
back
to
AWS
and
copy
our
role,
Arn
and
paste
it
in
here
make
sure
we've
type
set
to
variable
and
we'll
add
this
variable.
A
A
A
So
now,
we've
added
three
variables:
AWS
config
file
as
a
file
type,
our
role,
Arn
and
then
another
file
type
variable
for
web
identity.
Token,
let's
take
a
look
at
that
pipeline
that
ran
we'll
see
that
it
failed.
Let's
run
it
one
more
time
now
that
we've
added
our
three
project
level,
cic
variables.
A
And
you'll
see:
we've
successfully
retrieved
a
credential
from
AWS
using
open
ID
connect,
so,
like
I,
said
earlier
right,
this
role
that
we've
set
up
right
now
this
can
be
used
by
anybody
to
retrieve
a
credential
from
AWS
within
my
AWS
account.
Let's
lock
this
down
just
to
end
our
video
and
I'll
show
you
what
that
looks
like:
let's
go
back
to
the
IM
console
and
our
video
oidc
role,
which
we
created,
and
we
want
to
navigate
over
to
trust
relationships
and
edit
our
trust
policy
right
now.
A
So
we've
changed
this
so
that
this
role
should
only
run
on
the
J
Philbin,
Security,
Group
and
you'll
see
that
we've
got
an
access
denied
error
that
gets
thrown
now
when
we
want
to
use
our
web
identity
role.
So
thank
you
for,
following
with
my
video
on
retrieving
an
openid
credential
from
AWS
or
using
openid
Azure
retriever
credential
from
AWS
I
hope
you
found
this
really
helpful
and
goodbye.
Thank
you.