Resolving InvalidIdentityToken Error When Using CircleCI Server OIDC with AWS

Overview

This article addresses the InvalidIdentityToken error encountered when using CircleCI Server's OpenID Connect (OIDC) tokens on AWS. The error typically occurs during the AssumeRoleWithWebIdentity operation and is often due to misconfigurations in the JSON Web Key (JWK) or AWS settings.

Prerequisites

  • CircleCI Server v4.4.0 or later
  • AWS account with permissions to configure Identity Providers and IAM Roles.
  • Access to CircleCI Web application for organization settings
  • Helm for managing Kubernetes applications
  • OIDC is enable on Helm Values oidc_service.isEnabled: true

Solution

If you encounter the following error, it is likely due to missing fields in the JSON Web Key (JWK) that was set on oidc.json_web_keys. Ensure that the alg and kid fields are present in the JWK. Follow the steps below to regenerate and correctly configure the JWK.

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

Regenerating JSON Web Key (JWK)

  1. Generate JWK: Use mkjwk.org to generate a JWK with the following settings:

    • Key Size: 2048
    • Key Use: Signature
    • Algorithm: RS256: RSASSA-PKCS1-v1_5 using SHA-256
    • Key ID: SHA-256
    • Show X.509: No
  2. Save and Encode JWK: Save the generated JWK to a file, e.g., ~/oidc-service-jwk.json, and encode it in base64. sh base64 -b0 -i ~/oidc-service-jwk.json

  3. Update Helm Values: Copy the base64 encoded JWK and set it in the Helm values under oidc.json_web_keys.

  4.  

Additional Resources

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.