OIDC Tokens
You can use OIDC to authenticate RWX with third-party services. In general, you should use OIDC when it's available. It's more secure than generating access tokens, which could be lost or stolen.
To use OIDC, you will need to configure a token in the OIDC Tokens tab of the RWX Vault UI.
After setting the name and audience in the UI, you'll see copyable audience and subject values that you can copy to your service provider.
See documentation below for specific instructions for each service provider.
You can then reference the token in RWX run definitions like this:
${{ vaults.your_vault.oidc.your_token_name }}
If you're using OIDC for deployment, you'll most likely want to configure the OIDC token in a locked vault. For more details, see the documentation on vaults.
Specific Documentation for Relying Parties
Review these guides to authenticate from RWX to some of the most popular services using OIDC.
Claims
If you're a service looking to validate an RWX OIDC token, review the following claims:
| claim | name | description |
|---|---|---|
| iss | issuer | Will always be https://cloud.rwx.com/mint |
| sub | subject | Identifies the vault, shared across all tokens in the same vault (shown in the Vault UI) |
| aud | audience | The audience configured for the token in the Vault (shown in the Vault UI) |
| exp | expiration time | The time that the token expires as an integer |
| iat | issued time | The time that the token was issued as an integer |
| run_id | run id | The ID of the RWX run that generated the token |
| run_url | run url | The URL for the RWX run that generated the token |
| task_id | task id | The ID of the RWX task that generated the token |
| task_url | task url | the URL for the RWX task that generated the token |