Missed Team ’24? Catch up on announcements here.

Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

OIDC and boto3: InvalidIdentityToken

Georg Duemlein March 26, 2023

I have an OIDC provider configured in my AWS account.

It works nicely for the pipelines so far.


I am now trying to run a python boto3 script in the pipeline and I get this error:

botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for

The IdentityProvider mentioned in the message exists.
I even created a second one with trailing slashes - I read that might be the issue.


Are the any extra steps I need to take to have boto3 scripts run in the pipeline with OIDC?

1 answer

1 accepted

0 votes
Answer accepted
Georg Duemlein March 27, 2023

Looks like the documented snippet is not working for this use case.

Instead of this:

- export AWS_ROLE_ARN=arn:aws:iam::<redacted>:role/<redacted>
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token

I need to use something like this:

- export AWS_ROLE_ARN=arn:aws:iam::<redacted>:role/<redacted>
- export AWS_WEB_IDENTITY_TOKEN_FILE=~/.aws/web-identity-token
- mkdir -p ~/.aws

I assume that boto3 is a bit more strict when it comes to finding the files - compared to terraform - which doesn't seem to have an issue with the documented bitbucket way.

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events