Project · open-liberty-ecs-demo-oidc

GitLab → AWS OIDC migration

Removes long-lived AWS keys from the GitLab CI of [[Claude-AWS-Project/README|open-liberty-ecs-demo]]. The pipeline assumes an IAM role via a short-lived **OIDC token** instead — nothing static to leak. The new role attaches the same `gitlab-ci-policy`, so permissions are unchanged.

type readmestatus activeaws · gitlab-ci · oidc · security

Components

  • gitlab-oidc.tf — IAM OIDC provider + gitlab-ci-oidc role (apply with admin).
  • scripts/aws_oidc_creds.py — exchanges the OIDC token for temporary AWS creds (stdlib).
  • scripts/ecr_login.py — ECR login supporting temp creds (session token).
  • gitlab-ci.changes.yml — the edits to make in the repo's .gitlab-ci.yml.

Cutover (summary)

  1. Admin applies gitlab-oidc.tf → copy the gitlab_ci_role_arn.
  2. Copy the scripts in, apply the CI changes, set CI var AWS_ROLE_ARN.
  3. Run a pipeline — jobs authenticate with no static keys.

Stack

Terraform (IAM OIDC) · GitLab CI OIDC · Python (stdlib) · AWS STS / ECR.

Source

~/Terraform/open-liberty-ecs-demo-oidc/ — hardens the CI of Claude-AWS-Project/README.

Compiled from wiki/projects/open-liberty-ecs-demo-oidc/README.md · git is the source of truth