OIDC with Depot
See the general OIDC documentation before diving into the Depot specific setup.
Depot Specific Setup
- Configure Depot in your Mint Vault
- Configure Mint as a Trusted Relationship in Depot
- Install the Depot CLI in a Mint task
- Set the
DEPOT_TOKENenvironment variable to the vault OIDC token when you calldepot build
Configure Depot in Mint
Mint Vaults control which Mint runs can access which sensitive values.
If you're building container images on feature branches, you can configure Depot in the default vault.
If you're building on a protected branch like main, then you may want to set up Depot in a locked vault.
See the docs on vaults for more details on how to configure your vaults.
Conventionally, choose depot for your token name. Set the audience to https://depot.dev
Configure Mint in Depot
Under your settings in Depot, look for "Trust Relationships."
Click on "Add Trust Relationship," and then choose "Mint" for the provider.
You'll be prompted to enter an "OIDC Subject."
Copy and paste the subject that is displayed in the Mint Vault UI.
It'll be displayed in the format mint:your-org-uuid:your-vault-name.
See the Depot docs on trust relationships for more details.
Install the Depot CLI in a Mint task
You can use the depot/install-cli leaf to easily install the CLI.
tasks:
- key: depot-cli
call: depot/install-cli 1.0.1
And you can now define a task which uses the depot-cli and authenticates via OIDC!
tasks:
- key: depot-cli
call: depot/install-cli 1.0.1
- key: build-image
use: [depot-cli]
run: depot build --project "$DEPOT_PROJECT" .
env:
DEPOT_PROJECT: your-depot-project-key
DEPOT_TOKEN:
value: ${{ vaults.your-vault.oidc.your-token-name-usually-depot }}
cache-key: excluded
cache-key: excluded will ensure that changes to the depot token will not affect whether the build-image task can be a cache hit.
For more details see the docs on environment variables.
Support
That's it! If you have any questions, feel free to reach out to either RWX support or Depot support.