Skip to content

Support file-based OIDC tokens#413

Draft
kylekthompson wants to merge 11 commits into
mainfrom
kt/support-file-oidc-tokens
Draft

Support file-based OIDC tokens#413
kylekthompson wants to merge 11 commits into
mainfrom
kt/support-file-oidc-tokens

Conversation

@kylekthompson

@kylekthompson kylekthompson commented Jul 10, 2026

Copy link
Copy Markdown
Member

What changed

  • add mutually exclusive file-based and scalar OIDC token inputs for AWS, Google Cloud, Azure, and Namespace packages
  • configure AWS web identity profiles and Google external-account credentials to retain the rotating token-file path for later credential refreshes
  • move Azure authentication to v2 login/logout hooks so each consuming task receives its own fresh OIDC login
  • read the current token once per task for Azure CLI and Namespace CLI, whose current interfaces do not support persistent token-file credential sources
  • document provider behavior, defaults, customization parameters, and the Azure/Namespace refresh limitations
  • add separate package integration coverage for static and dynamic tokens

Why

rwx-cloud/mint#4575 adds automatically refreshed OIDC token-file projections through ${{ vaults.<vault>.oidc.<token>.path }}. Packages that consume OIDC tokens need to accept those paths while preserving compatibility with scalar token expressions.

Impact

AWS and Google Cloud tools can renew credentials from the rotating token source during long-running tasks. Azure v2 and Namespace read the current token immediately before each consuming task, but their CLIs do not pick up later rotations within that task. Supplying both token forms is rejected before authentication.

Package versions are bumped to:

  • aws/assume-role 2.0.10
  • google-cloud/auth-oidc 2.0.2
  • azure/auth-oidc 2.0.0
  • namespace/login-hook 1.0.3

Validation

  • rwx lint on the changed package and test definitions
  • generated hooks checked with bash -n
  • Azure static, dynamic, skip, subscription, and logout behavior checked with a fake CLI boundary
  • rwx packages update confirmed package dependencies are current
  • npm run spellcheck

Vault-backed integration workflows will be verified on the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant