Menu

Sponsored By: Password Angel - Share passwords, API keys, credentials and more with secure, single-use links.

Learn more

Fixing: aws: error: argument --web-identity-token: expected one argument

With the release of version 15.9, GitLab announced a deprecation of the predefined variables CI_JOB_JWT , CI_JOB_JWT_V1 and CI_JOB_JWT_V2 in favor of ID tokens which were introduced with GitLab 15.7. These deprecated tokens were removed in GitLab 17.0. ID tokens are used to create JSON web tokens that support OIDC.

If you previously had a CI/CD pipeline working with $CI_JOB_JWT_V2 then the change to use an OIDC token should be fairly trivial. In my case I just needed to add an id_tokens section to my pipeline step as follows

  id_tokens:
    MY_OIDC_TOKEN:
      aud: https://gitlab.com

and then change --web-identity-token ${CI_JOB_JWT_V2} to --web-identity-token ${MY_OIDC_TOKEN}

My pipeline stage using ${CI_JOB_JWT_V2}

Deploy:
  when: on_success
  stage: deploy
  image: registry.gitlab.com/gitlab-org/cloud-deploy/aws-base:latest
  variables:
    GIT_STRATEGY: none
  script:
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${CI_JOB_JWT_V2}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
      ... [ADDITIONAL COMMANDS] ...
  dependencies:
    - Build
  only:
    - main
  except:
    - tags

And now my pipeline stage using ${MY_OIDC_TOKEN}

Deploy:
  when: on_success
  stage: deploy
  image: registry.gitlab.com/gitlab-org/cloud-deploy/aws-base:latest
  id_tokens:
    MY_OIDC_TOKEN:
      aud: https://gitlab.com
  variables:
    GIT_STRATEGY: none
  script:
    - >
      export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
      $(aws sts assume-role-with-web-identity
      --role-arn ${ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${MY_OIDC_TOKEN}
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
      ... [ADDITIONAL COMMANDS] ...
  dependencies:
    - Build
  only:
    - main
  except:
    - tags

As the CI/CD pipelines worked before the CI_JOB_JWT_V2 was deprecated and removed, this was all that was required to get it back up and running

References

Enjoyed this article?

Thank you for reading this article! If you found the information valuable and enjoyed your time here, consider supporting my work by buying me a coffee. Your contribution helps fuel more content like this. Cheers to shared knowledge and caffeine-fueled inspiration!

Buy me a coffee

Originally published at https://chrisshennan.com/blog/aws-error-argument-web-identity-token-expected-one-argument

Subscribe to my newsletter...

... and receive the musings of an aspiring #indiehacker directly to your inbox once a month.

These musings will encompass a range of subjects such as Web Development, DevOps, Startups, Bootstrapping, #buildinpublic, SEO, personal opinions, and experiences.

I won't send you spam and you can unsubscribe at any time.