Components
gitlab-oidc.tf— IAM OIDC provider +gitlab-ci-oidcrole (apply with admin).scripts/aws_oidc_creds.py— exchanges the OIDC token for temporary AWS creds (stdlib).scripts/ecr_login.py— ECR login supporting temp creds (session token).gitlab-ci.changes.yml— the edits to make in the repo's.gitlab-ci.yml.
Cutover (summary)
- Admin applies
gitlab-oidc.tf→ copy thegitlab_ci_role_arn. - Copy the scripts in, apply the CI changes, set CI var
AWS_ROLE_ARN. - Run a pipeline — jobs authenticate with no static keys.
Stack
Terraform (IAM OIDC) · GitLab CI OIDC · Python (stdlib) · AWS STS / ECR.
Source
~/Terraform/open-liberty-ecs-demo-oidc/ — hardens the CI of Claude-AWS-Project/README.
Compiled from
wiki/projects/open-liberty-ecs-demo-oidc/README.md · git is the source of truth