OIDC with Depot
See the general OIDC documentation before diving into the Depot specific setup.
Depot Specific Setup
- Configure Depot in your RWX Vault
- Configure RWX as a Trusted Relationship in Depot
- Install the Depot CLI in an RWX task
- Set the
DEPOT_TOKENenvironment variable to the vault OIDC token when you calldepot build
Configure Depot in RWX
RWX Vaults control which RWX runs can access which sensitive values.
If you're building container images on feature branches, you can configure Depot in the default vault.
If you're building on a protected branch like main, then you may want to set up Depot in a locked vault.
See the docs on vaults for more details on how to configure your vaults.
Conventionally, choose depot for your token name. Set the audience to https://depot.dev
Configure RWX in Depot
Under your settings in Depot, look for "Trust Relationships."
Click on "Add Trust Relationship," and then choose RWX "Mint" for the provider.
You'll be prompted to enter an "OIDC Subject."
Copy and paste the subject that is displayed in the RWX Vault UI.
It'll be displayed in the format mint:your-org-uuid:your-vault-name.
See the Depot docs on trust relationships for more details.
Install the Depot CLI in an RWX task
You can use the depot/install-cli leaf to install the CLI easily.
tasks:
- key: depot-cli
call: depot/install-cli 1.0.2
And you can now define a task which uses the depot-cli and authenticates via OIDC.
tasks:
- key: depot-cli
call: depot/install-cli 1.0.2
- key: build-image
use: [depot-cli]
run: depot build --project "$DEPOT_PROJECT" .
env:
DEPOT_PROJECT: your-depot-project-key
DEPOT_TOKEN:
value: ${{ vaults.your-vault.oidc.your-token-name-usually-depot }}
cache-key: excluded
cache-key: excluded will ensure that changes to the depot token will not affect whether the build-image task can be a cache hit.
For more details, see the docs on environment variables.
Support
That's it! If you have any questions, feel free to reach out to RWX support or Depot support.