Overview
This article addresses the InvalidIdentityToken
error encountered when using CircleCI Server's OpenID Connect (OIDC) tokens on AWS. The error typically occurs during the AssumeRoleWithWebIdentity
operation and is often due to misconfigurations in the JSON Web Key (JWK) or AWS settings.
Prerequisites
- CircleCI Server v4.4.0 or later
- AWS account with permissions to configure Identity Providers and IAM Roles.
- Access to CircleCI Web application for organization settings
- Helm for managing Kubernetes applications
- OIDC is enable on Helm Values
oidc_service.isEnabled: true
Solution
If you encounter the following error, it is likely due to missing fields in the JSON Web Key (JWK) that was set on oidc.json_web_keys
. Ensure that the alg
and kid
fields are present in the JWK. Follow the steps below to regenerate and correctly configure the JWK.
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements
Regenerating JSON Web Key (JWK)
-
Generate JWK: Use mkjwk.org to generate a JWK with the following settings:
- Key Size: 2048
- Key Use: Signature
- Algorithm: RS256: RSASSA-PKCS1-v1_5 using SHA-256
- Key ID: SHA-256
- Show X.509: No
-
Save and Encode JWK: Save the generated JWK to a file, e.g.,
~/oidc-service-jwk.json
, and encode it in base64.sh base64 -b0 -i ~/oidc-service-jwk.json
-
Update Helm Values: Copy the base64 encoded JWK and set it in the Helm values under
oidc.json_web_keys
.
Comments
Article is closed for comments.