oidc-token
This module provides functions to obtain OIDC JWT tokens from various CI/CDproviders (GitHub Actions, GitLab CI, CircleCI). These tokens can then be
used with cloud provider authentication modules (gcp-auth, aws-auth, etc.)
for keyless authentication via Workload Identity Federation.
Supported CI Providers:
- GitHub Actions (via ACTIONS_ID_TOKEN_REQUEST_* env vars)
- GitLab CI (via CI_JOB_JWT_V2 env var)
- CircleCI (via CIRCLE_OIDC_TOKEN env var)
Installation
dagger install github.com/telchak/daggerverse/oidc-token@v0.1.0Entrypoint
Return Type
OidcToken !Example
dagger -m github.com/telchak/daggerverse/oidc-token@010621c997378db92da5969584001be575c5e5a7 call \
func (m *MyModule) Example() *dagger.OidcToken {
return dag.
OidcToken()
}@function
def example() -> dagger.OidcToken:
return (
dag.oidc_token()
)@func()
example(): OidcToken {
return dag
.oidcToken()
}Types
OidcToken 🔗
Universal OIDC token handling for various CI/CD providers.
circleciToken() 🔗
Pass through CircleCI OIDC JWT token.
CircleCI provides the OIDC token directly as CIRCLE_OIDC_TOKEN env var. This function validates and returns it as a Secret.
Requires OIDC to be enabled in your CircleCI project settings.
Return Type
Secret !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| oidcToken | Secret ! | - | CIRCLE_OIDC_TOKEN from CircleCI |
Example
dagger -m github.com/telchak/daggerverse/oidc-token@010621c997378db92da5969584001be575c5e5a7 call \
circleci-token --oidc-token env:MYSECRETfunc (m *MyModule) Example(oidcToken *dagger.Secret) *dagger.Secret {
return dag.
OidcToken().
CircleciToken(oidcToken)
}@function
def example(oidc_token: dagger.Secret) -> dagger.Secret:
return (
dag.oidc_token()
.circleci_token(oidc_token)
)@func()
example(oidcToken: Secret): Secret {
return dag
.oidcToken()
.circleciToken(oidcToken)
}githubToken() 🔗
Fetch OIDC JWT token from GitHub Actions.
GitHub Actions provides OIDC tokens via a REST endpoint. This function fetches the token with the specified audience claim.
Requires id-token: write permission in your workflow.
Return Type
Secret !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| requestToken | Secret ! | - | ACTIONS_ID_TOKEN_REQUEST_TOKEN |
| requestUrl | Secret ! | - | ACTIONS_ID_TOKEN_REQUEST_URL |
| audience | String ! | - | The audience claim for the token (e.g., GCP WIF provider) |
Example
dagger -m github.com/telchak/daggerverse/oidc-token@010621c997378db92da5969584001be575c5e5a7 call \
github-token --request-token env:MYSECRET --request-url env:MYSECRET --audience stringfunc (m *MyModule) Example(requestToken *dagger.Secret, requestUrl *dagger.Secret, audience string) *dagger.Secret {
return dag.
OidcToken().
GithubToken(requestToken, requestUrl, audience)
}@function
def example(request_token: dagger.Secret, request_url: dagger.Secret, audience: str) -> dagger.Secret:
return (
dag.oidc_token()
.github_token(request_token, request_url, audience)
)@func()
example(requestToken: Secret, requestUrl: Secret, audience: string): Secret {
return dag
.oidcToken()
.githubToken(requestToken, requestUrl, audience)
}gitlabToken() 🔗
Pass through GitLab CI OIDC JWT token.
GitLab CI provides the OIDC token directly as CI_JOB_JWT_V2 env var. This function validates and returns it as a Secret.
Requires id_tokens configuration in your .gitlab-ci.yml.
Return Type
Secret !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| ciJobJwt | Secret ! | - | CI_JOB_JWT_V2 from GitLab CI |
Example
dagger -m github.com/telchak/daggerverse/oidc-token@010621c997378db92da5969584001be575c5e5a7 call \
gitlab-token --ci-job-jwt env:MYSECRETfunc (m *MyModule) Example(ciJobJwt *dagger.Secret) *dagger.Secret {
return dag.
OidcToken().
GitlabToken(ciJobJwt)
}@function
def example(ci_job_jwt: dagger.Secret) -> dagger.Secret:
return (
dag.oidc_token()
.gitlab_token(ci_job_jwt)
)@func()
example(ciJobJwt: Secret): Secret {
return dag
.oidcToken()
.gitlabToken(ciJobJwt)
}tokenClaims() 🔗
Decode and display the claims from an OIDC JWT token (for debugging).
Note: This only decodes the payload, it does not verify the signature.
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| token | Secret ! | - | OIDC JWT token to inspect |
Example
dagger -m github.com/telchak/daggerverse/oidc-token@010621c997378db92da5969584001be575c5e5a7 call \
token-claims --token env:MYSECRETfunc (m *MyModule) Example(ctx context.Context, token *dagger.Secret) string {
return dag.
OidcToken().
TokenClaims(ctx, token)
}@function
async def example(token: dagger.Secret) -> str:
return await (
dag.oidc_token()
.token_claims(token)
)@func()
async example(token: Secret): Promise<string> {
return dag
.oidcToken()
.tokenClaims(token)
}