6 releases
| 0.3.0 | Dec 3, 2024 |
|---|---|
| 0.2.1 | Nov 5, 2024 |
| 0.1.2 | Oct 29, 2024 |
#645 in Authentication
Used in ci-id-bin
24KB
492 lines
Ambient credentials detection for CI systems
ci-id provides easy access to ambient OIDC credentials in CI systems.
use ci_id::{detect_credentials, CIIDError};
fn main() -> Result<(), CIIDError> {
let token = detect_credentials(Some("myaudience"))?;
print!("Ambient OIDC token detected: {}", token);
Ok(())
}
See ci-id-bin crate for a simple CLI wrapper.
ci-id is based on id, a similar Python project.
Supported environments
Currently supported environments are:
- GitHub Actions
- GitLab CI/CD
- CircleCI
- Buildkite
See documentation for details on what configuration each of these environments needs.
License
ci-id is licensed under the Apache 2.0 License.
lib.rs:
ci-id provides easy access to ambient OIDC credentials in CI systems like
GitHub Actions.
match ci_id::detect_credentials(Some("my-audience")) {
Ok(token) => println!("{}", token),
Err(e) => eprintln!("{}", e)
}
Environment specific setup
Typically the CI environment needs to allow OIDC identity access.
GitHub Actions
Workflow must be given the permission to use the workflow identity:
permissions:
id-token: write
GitLab Pipelines
An ID token must be defined in the pipeline:
id_tokens:
MY_AUDIENCE_ID_TOKEN:
aud: my-audience
The ID token name must be based on the audience so that token name is <AUD>_ID_TOKEN where
<AUD> is the audience string sanitized for environment variable names (uppercased and all
characters outside of ascii letters and digits are replaced with "_").
CircleCI
No configuration is needed.
Buildkite
No configuration is needed.
Dependencies
~6–19MB
~251K SLoC