Lib.rs

Authentication
#sigstore #oidc #trusted-publishing

ambient-id

Detects ambient OIDC credentials in a variety of environments

by William Woodruff

10 releases

Uses new Rust 2024

new 0.0.11 Feb 9, 2026
0.0.10 Feb 4, 2026
0.0.7 Dec 9, 2025
0.0.6 Nov 14, 2025
0.0.5 Sep 10, 2025

#82 in Authentication

Download history 4848/week @ 2025-10-20 7026/week @ 2025-10-27 5425/week @ 2025-11-03 7807/week @ 2025-11-10 6865/week @ 2025-11-17 6938/week @ 2025-11-24 8856/week @ 2025-12-01 5819/week @ 2025-12-08 6076/week @ 2025-12-15 1806/week @ 2025-12-22 5492/week @ 2025-12-29 7684/week @ 2026-01-05 13655/week @ 2026-01-12 11672/week @ 2026-01-19 7087/week @ 2026-01-26 10026/week @ 2026-02-02

43,025 downloads per month
Used in 8 crates (2 directly)

MIT/Apache

33KB
563 lines

ambient-id

Crates.io Version

A library for accessing ambient OIDC credentials in a variety of environments.

This crate serves the same purpose as Python's id library.

Supported environments

ambient-id currently supports ambient OIDC credential detection in the following environments:

  • GitHub Actions

    • GitHub Actions requires the id-token: write permission to be set at the job or workflow level. In general, users should set this at the job level to limit the scope of the permission.

      For additional information on OpenID Connect in GitHub Actions, see the GitHub documentation.

  • GitLab CI

    • On GitLab, this crate looks for an <AUD>_ID_TOKEN environment variable, where <AUD> is the audience string with non-alphanumeric characters replaced by underscores and converted to uppercase. For example, if the audience is sigstore, the crate will look for a SIGSTORE_ID_TOKEN environment variable.

      For additional information on OpenID Connect and <AUD>_ID_TOKEN environment variables, see the GitLab documentation.

  • Buildkite

    • On Buildkite, this crate invokes buildkite-agent oidc request-token --audience <AUD> to obtain the token.

      If you're using Buildkite's Docker plugin, you'll need to propagate the environment and mount the Buildkite agent binary into the container for this to work correctly.

      Specifically, you'll need propagate-environment: true and mount-buildkite-agent: true set in your plugin configuration.

      For additional information on OpenID Connect in Buildkite, see the Buildkite documentation.

  • CircleCI

    • On CircleCI, this crate invokes circleci run oidc get --root-issuer --claims '{"aud": <AUD>}' to obtain the token.

      This crate only uses --root-issuer; per-organization issuers aren't supported.

Development

To run tests:

RUST_TEST_THREADS=1 cargo test

You must pass RUST_TEST_THREADS=1 to ensure tests are run in a single thread, as this crate's tests manipulate environment variables and are not thread-safe.

License

ambient-id is licensed under either of

at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in ambient-id by you, as defined in the Apache-2.0 license, shall be dually licensed as above, without any additional terms or conditions.

Dependencies

~4–22MB
~240K SLoC