Universal OIDC token handling for CI/CD providers.
This module provides functions to obtain OIDC JWT tokens from various CI/CD providers. These tokens can be used with cloud provider authentication modules (like gcp-auth) for keyless authentication via Workload Identity Federation.
| Provider | Function | Environment Variables |
|---|---|---|
| GitHub Actions | github-token |
ACTIONS_ID_TOKEN_REQUEST_TOKEN, ACTIONS_ID_TOKEN_REQUEST_URL |
| GitLab CI | gitlab-token |
CI_JOB_JWT_V2 |
| CircleCI | circleci-token |
CIRCLE_OIDC_TOKEN |
Fetch OIDC JWT token from GitHub Actions.
dagger call github-token \
--request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN \
--request-url=env:ACTIONS_ID_TOKEN_REQUEST_URL \
--audience="//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/github"Requirements:
id-token: writepermission in your workflow
Pass through GitLab CI OIDC JWT token.
dagger call gitlab-token \
--ci-job-jwt=env:CI_JOB_JWT_V2Requirements:
id_tokensconfiguration in your.gitlab-ci.yml
Pass through CircleCI OIDC JWT token.
dagger call circleci-token \
--oidc-token=env:CIRCLE_OIDC_TOKENRequirements:
- OIDC enabled in your CircleCI project settings
Decode and display the claims from an OIDC JWT token (for debugging).
dagger call token-claims --token=env:MY_TOKEN# GitHub Actions
jobs:
deploy:
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Deploy
run: |
# Get OIDC token and use with gcp-auth
dagger call -m oidc-token github-token \
--request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN \
--request-url=env:ACTIONS_ID_TOKEN_REQUEST_URL \
--audience="//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/github" \
--output=token.txt
dagger call -m gcp-auth gcloud-container-from-oidc-token \
--oidc-token=file:token.txt \
--workload-identity-provider="projects/123/locations/global/workloadIdentityPools/pool/providers/github" \
--project-id="my-project" \
with-exec --args="gcloud","version"# .gitlab-ci.yml
deploy:
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/gitlab
script:
- dagger call -m gcp-auth gcloud-container-from-oidc-token \
--oidc-token=env:GITLAB_OIDC_TOKEN \
--workload-identity-provider="projects/123/locations/global/workloadIdentityPools/pool/providers/gitlab" \
--project-id="my-project" \
with-exec --args="gcloud","version"- Abstraction: Separates CI provider token handling from cloud authentication
- Reusability: Same token can be used with multiple cloud providers
- Debugging:
token-claimshelps troubleshoot OIDC issues - Extensibility: Easy to add new CI providers
Apache-2.0