OIDC Tokens

You can use OIDC to authenticate RWX with third-party services. In general, you should use OIDC when it's available. It's more secure than generating access tokens, which could be lost or stolen.

To use OIDC, you will need to configure the token in the RWX Vault UI. After setting the name and audience in the UI, you can reference the token in workflows like this:

${{ vaults.your_vault.oidc.your_token_name }}

If you're using OIDC for deployment, you'll most likely want to configure the OIDC token in a locked vault. For more details, see the documentation on vaults.

Specific Documentation for Relying Parties

Review these guides to authenticate from RWX to some of the most popular services using OIDC.

RWX OIDC with AWS

RWX OIDC with Depot

RWX OIDC with Google Cloud

RWX OIDC with Azure

Claims

If you're a service looking to validate an RWX OIDC token, review the following claims:

claimnamedescription
ississuerWill always be https://cloud.rwx.com/mint
subsubjectIdentifies the vault, in the format of mint:{organization uuid}:{vault name}
audaudienceThe audience configured for the token in the Vault
expexpiration timeThe time that the token expires as an integer
iatissued timeThe time that the token was issued as an integer
run_idrun idThe ID of the RWX run that generated the token
run_urlrun urlThe URL for the RWX run that generated the token
task_idtask idThe ID of the RWX task that generated the token
task_urltask urlthe URL for the RWX task that generated the token