Was this helpful? Support me via buymeacoffee.com and help me create lots more great content!

Buy me a coffee

Fixing: aws: error: argument --web-identity-token: expected one argument

With the release of version 15.9, GitLab announced a deprecation of the predefined variables CI_JOB_JWT , CI_JOB_JWT_V1 and CI_JOB_JWT_V2 in favor of ID tokens which were introduced with GitLab 15.7. These deprecated tokens were removed in GitLab 17.0. ID tokens are used to create JSON web tokens that support OIDC.

If you previously had a CI/CD pipeline working with $CI_JOB_JWT_V2 then the change to use an OIDC token should be fairly trivial. In my case I just needed to add an id_tokens section to my pipeline step as follows

  id_tokens:
    MY_OIDC_TOKEN:
      aud: https://gitlab.com

and then change --web-identity-token ${CI_JOB_JWT_V2} to --web-identity-token ${MY_OIDC_TOKEN}

My pipeline stage using ${CI_JOB_JWT_V2}

Deploy:
  when: on_success
  stage: deploy
  image: registry.gitlab.com/gitlab-org/cloud-deploy/aws-base:latest
  variables:
    GIT_STRATEGY: none
  script:
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${CI_JOB_JWT_V2}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
      ... [ADDITIONAL COMMANDS] ...
  dependencies:
    - Build
  only:
    - main
  except:
    - tags

And now my pipeline stage using ${MY_OIDC_TOKEN}

Deploy:
  when: on_success
  stage: deploy
  image: registry.gitlab.com/gitlab-org/cloud-deploy/aws-base:latest
  id_tokens:
    MY_OIDC_TOKEN:
      aud: https://gitlab.com
  variables:
    GIT_STRATEGY: none
  script:
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${MY_OIDC_TOKEN}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
      ... [ADDITIONAL COMMANDS] ...
  dependencies:
    - Build
  only:
    - main
  except:
    - tags

As the CI/CD pipelines worked before the CI_JOB_JWT_V2 was deprecated and removed, this was all that was required to get it back up and running

References

Originally published at https://chrisshennan.com/blog/aws-error-argument-web-identity-token-expected-one-argument