ci-id -- Ambient credentials detection for CI systems

ci-id provides easy access to ambient OIDC credentials in CI systems.

use ci_id::{detect_credentials, CIIDError};

fn main() -> Result<(), CIIDError>  {
    let token = detect_credentials(Some("myaudience"))?;
    print!("Ambient OIDC token detected: {}", token);
    Ok(())
}

See ci-id-bin crate for a simple CLI wrapper.

ci-id is based on id, a similar Python project.

Supported environments

Currently supported environments are:

• GitHub Actions
• GitLab CI/CD
• CircleCI

See documentation for details on what configuration each of these environments needs.

License

ci-id is licensed under the Apache 2.0 License.

lib.rs:

ci-id provides easy access to ambient OIDC credentials in CI systems like GitHub Actions.

match ci_id::detect_credentials(Some("my-audience")) {
    Ok(token) => println!("{}", token),
    Err(e) => eprintln!("{}", e)
}

Environment specific setup

Typically the CI environment needs to allow OIDC identity access.

GitHub Actions

Workflow must be given the permission to use the workflow identity:

permissions:
    id-token: write

GitLab Pipelines

An ID token must be defined in the pipeline:

id_tokens:
    MY_AUDIENCE_ID_TOKEN:
        aud: my-audience

The ID token name must be based on the audience so that token name is either

• ID_TOKEN for default audience
• <AUD>_ID_TOKEN where <AUD> is the audience string sanitized for environment variable names (uppercased and all characters outside of ascii letters and digits are replaced with "_")

CircleCI

No configuration is needed.