July 12, 2023
Secretless Authorization (Using OIDC)
With Gitpod you can use OIDC to connect Gitpod workspaces to cloud providers or third parties such as AWS, Azure, GCP, or secret management services like Vault. Using OIDC integration eliminates the need to manually distribute access credentials, secrets, and other key material via other methods such as environment variables.
Use gp idp token
in any workspace (works in .gitpod.yml
and with prebuilds) to retrieve the workspace JWT token for exchange with the OIDC supporting 3rd party.
Getting started
The following shows how you can connect AWS to a Gitpod Cloud workspace. Steps can vary based on the 3rd party you are integrating and the domain of your Gitpod installation, see the documentation below for details.
- Setup Gitpod as an AWS Identity Provider (Using
https://api.gitpod.io/idp
as the Audience). - Create an AWS role with permissions to perform
sts:AssumeRoleWithWebIdentity
. - Update your
.gitpod.yml
to exchange your workspace JWT token for an access token.
gp idp login aws --role-arn <your-iam-role-arn>
aws secretsmanager get-secret-value --secret-id database_connection_string
See Workspace OIDC and the AWS Integration Guide for more.