Error InvalidIdentityToken in command aws sts assume-role-with-web-identity

Question

In .gitlab-ci.yml file I have the command aws sts assume-role-with-web-identity that return this error: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Issuer must start with https://

This is deploy script:

deploy:
  stage: deploy
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://git.mydomain.com
  script:
    - STS=($(aws sts assume-role-with-web-identity --role-arn ${ROLE_ARN} --role-session-name "gitlab-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" --web-identity-token $GITLAB_OIDC_TOKEN --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))      
    - export AWS_ACCESS_KEY_ID="${STS[0]}"
    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
    - export AWS_SESSION_TOKEN="${STS[2]}"
    - aws sts get-caller-identity
  only:
    - main

I`m trying to write a gitlab-ci script that assumes AWS Role with web-identity

Answer 1

Ensure you've configured your OIDC Identity provider in AWS accordingly as well as the trust policy of the role you're trying to assume. Your GitLab instance itself must also be configured with a URL (external_url in the gitlab.rb config file) that begins with https:// and be accessible from the internet.

AssumeRoleWithWebIdentity operation: Issuer must start with https://

If you receive this error, it's likely because your GitLab server's external_url configuration value is not set correctly or you are not using HTTPS, which is required.

You must also ensure your IAM OIDC Identity Provider is configured correctly, as well as your IAM role, and your pipeline configuration:

First, configure the OIDC provider:

• For the provider URL, use your GitLab server's URL for example https://gitlab.example.com.
• For the "Audience": Use sts.amazonaws.com -- you can use pretty much any value you wish, but you'll need to use the same value for your GitLab ID token's aud claim -- GitLab suggests using your GitLab instance URL here (e.g., https://gitlab.example.com)

The setup wizard will connect to your GitLab instance to correctly set the public key fingerprint.

---

Second, your IAM role must have a trust policy document that allows the role to be assumed using a web identity under correct conditions. For example, you may make a condition on the sub claim matching your repository path.

You will need the ARN of the provider you created in the first step.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::AWS_ACCOUNT:oidc-provider/gitlab.example.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "gitlab.example.com:sub": "project_path:mygroup/myproject:*"
        }
      }
    }
  ]
}

---

Lastly, configure your pipeline, ensuring aud for your ID token is set to the same "Audience" value used in the first step:

deploy:
  # ...
  id_tokens:
    GITLAB_OIDC_TOKEN:
      # use the "Audience" value you used in the first step
      aud: sts.amazonaws.com
  script:
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${GITLAB_OIDC_TOKEN}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
    - aws sts get-caller-identity