1. CircleCI Support Center
  2. Using CircleCI
  3. Configuring Pipelines

Resolving Missing OIDC Token Issues in CircleCI

Avatar
Henna

Overview

Some users may occasionally encounter an issue where the OIDC token (CIRCLE_OIDC_TOKEN) is intermittently not available in their job environment. While this occurs infrequently, it can disrupt workflows that depend on OIDC authentication, particularly for AWS integrations.

This article provides two effective workarounds to ensure your jobs have access to an OIDC token even when the automatic injection fails.

 

Symptoms

You may be experiencing this issue if:

  • Your jobs fail with errors related to missing OIDC tokens
  • The OIDC plugin downloaded but failed to execute successfully
  • The CIRCLE_OIDC_TOKEN environment variable is missing in some job runs

Workaround 1: Implement a Retry Script

Add the following step to your job configuration to check for the OIDC token and generate it if missing:

Here's the formatted CircleCI run step:


- run:
    name: Ensure OIDC Token availability
    command: |
      if [ -z "${CIRCLE_OIDC_TOKEN_V2}" ] || [ -z "${CIRCLE_OIDC_TOKEN}" ]; then
          TOKEN_SETUP_SUCCESS=false
          for i in {1..3}; do
              echo "Attempt $i: Minting OIDC tokens"
              CIRCLE_OIDC_TOKEN=$(circleci run oidc get --claims "{\"aud\":\"${CIRCLE_ORGANIZATION_ID}\"}")
              if [ -n "$CIRCLE_OIDC_TOKEN" ]; then
                  echo "Successfully set CIRCLE_OIDC_TOKEN"
                  echo 'export CIRCLE_OIDC_TOKEN="'"$CIRCLE_OIDC_TOKEN"'"'  "$BASH_ENV"
                  echo 'export CIRCLE_OIDC_TOKEN_V2="'"$CIRCLE_OIDC_TOKEN"'"'  "$BASH_ENV"
                  TOKEN_SETUP_SUCCESS=true
                  break
              fi
              echo "Waiting 1 second before retry"
              sleep 1
          done
          
          if [ "$TOKEN_SETUP_SUCCESS" = false ]; then
              echo "Failed to set CIRCLE_OIDC_TOKEN and CIRCLE_OIDC_TOKEN_V2 after 3 attempts. Please try rerunning the worklow."
              exit 1
          fi
      fi
 
This script: 
  1. Checks if the token already exists in the environment
  2. If missing, attempts to generate it using the CircleCI CLI
  3. Retries up to three times with a 1-second pause between attempts
  4. Exits with an error if all attempts fail

Workaround 2: Use the AWS CLI Orb v5.3.2+

As of version 5.3.2, the CircleCI AWS CLI orb includes improved OIDC token handling with built-in retry functionality.

 

orbs:
  aws-cli: circleci/aws-cli@5.3.2

jobs:
  deploy:
    docker:
      - image: cimg/base:current
    steps:
      - checkout
      - aws-cli/setup:
          role-arn: "arn:aws:iam::123456789012:role/YourRoleName"
      # Your job steps continue here

Learn more about the AWS CLI orb's enhancements in the v5.3.2 release notes.

 

Additional Information

  • These workarounds are temporary solutions while our engineering team investigates the root cause of intermittent OIDC token availability.
  • The OIDC token is essential for secure authentication with AWS and other cloud providers that support OIDC.

Related Resources

Was this article helpful?
0 out of 2 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more