Overview

When using CircleCI’s OIDC-based IAM integration to assume roles in your AWS environment, you may want to restrict access by source IP as an additional layer of security. CircleCI offers a feature called IP Ranges that ensures jobs run from predictable, documented IPs.

By using the aws:SourceIp condition in your IAM policy, you can enforce that only requests coming from CircleCI’s job execution IP ranges are allowed to assume the role.

OIDC Role IAM Policy Example

Below is a sample IAM policy that allows s3:ListBucket only if the request originates from one of CircleCI’s static IP addresses.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RestrictToCircleCIIPs",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "3.228.39.90/32",
                        "18.213.67.41/32",

                        ...

                        "35.174.249.131/32",
                        "3.210.128.175/32"
                    ]
                }
            }
        }
    ]
}

Refer to docs for complete and up to date list of IPs used by the IP Ranges feature

Once this policy is in place, your job will need to have circleci_ip_ranges: true in order to be granted permission to the resource in the policy, successfully.

Additional Resources

CircleCI Docs

• IP Ranges
• List of IP address ranges associated with feature
• Using OpenID Connect tokens in jobs

AWS Docs

• IAM JSON policy elements: IP address condition operators