ci-id 0.1.0

Ambient OIDC credentials detection on CI systems
Documentation

ci-id provides easy access to ambient OIDC credentials in CI systems like GitHub Actions.

match ci_id::detect_credentials(Some("my-audience")) {
Ok(token) => println!("{}", token),
Err(e) => eprintln!("{}", e)
}

Environment specific setup

Typically the CI environment needs to allow OIDC identity access.

GitHub Actions

Workflow must be given the permission to use the workflow identity:

permissions:
id-token: write

GitLab Pipelines

An ID token must be defined in the pipeline:

id_tokens:
MY_AUDIENCE_ID_TOKEN:
aud: my-audience

The ID token name must be based on the audience so that token name is either

  • ID_TOKEN for default audience
  • <AUD>_ID_TOKEN where <AUD> is the audience string sanitized for environment variable names (uppercased and all characters outside of ascii letters and digits are replaced with "_")

CircleCI

No configuration is needed.