๐Ÿ“ฆ astral-sh / ambient-id

A library for accessing ambient OpenID Connect tokens

โ˜… 4 stars โ‘‚ 2 forks ๐Ÿ‘ 4 watching โš–๏ธ Apache License 2.0
authenticationgithub-actionsgitlab-cioidc
ambient-id
๐Ÿ“ฅ Clone https://github.com/astral-sh/ambient-id.git
HTTPS git clone https://github.com/astral-sh/ambient-id.git
SSH git clone git@github.com:astral-sh/ambient-id.git
CLI gh repo clone astral-sh/ambient-id
ZIP Desktop VS Code
William Woodruff William Woodruff chore: prep 0.0.7 (#20) 2628d86 1 months ago ๐Ÿ“ History
๐Ÿ“‚ main View all commits โ†’
๐Ÿ“ .buildkite
๐Ÿ“ .github
๐Ÿ“ src
๐Ÿ“„ .gitignore
๐Ÿ“„ Cargo.lock
๐Ÿ“„ Cargo.toml
๐Ÿ“„ LICENSE-APACHE
๐Ÿ“„ LICENSE-MIT
๐Ÿ“„ README.md
๐Ÿ“„ README.md

ambient-id

Crates.io Version

A library for accessing ambient OIDC credentials in a variety of environments.

This crate serves the same purpose as Python's [id] library.

Supported environments

ambient-id currently supports ambient OIDC credential detection in the following environments:

  • GitHub Actions
  • GitHub Actions requires the id-token: write permission to be set
at the job or workflow level. In general, users should set this at the job level to limit the scope of the permission.

For additional information on OpenID Connect in GitHub Actions, see the [GitHub documentation].

  • GitLab CI
  • On GitLab, this crate looks for an <AUD>_ID_TOKEN environment variable,
where <AUD> is the audience string with non-alphanumeric characters replaced by underscores and converted to uppercase. For example, if the audience is sigstore, the crate will look for a SIGSTORE_ID_TOKEN environment variable.

For additional information on OpenID Connect and <AUD>_ID_TOKEN environment variables, see the [GitLab documentation].

  • BuildKite
  • On BuildKite, this crate invokes
buildkite-agent oidc request-token --audience <AUD> to obtain the token.

If you're using BuildKite's [Docker plugin], you'll need to propagate the environment and mount the BuildKite agent binary into the container for this to work correctly.

Specifically, you'll need propagate-environment: true and mount-buildkite-agent: true set in your plugin configuration.

For additional information on OpenID Connect in BuildKite, see the [BuildKite documentation].

Development

To run tests:

RUST_TEST_THREADS=1 cargo test

You must pass RUST_TEST_THREADS=1 to ensure tests are run in a single thread, as this crate's tests manipulate environment variables and are not thread-safe.

License

ambient-id is licensed under either of

  • Apache License, Version 2.0, ([LICENSE-APACHE] or https://www.apache.org/licenses/LICENSE-2.0)
  • MIT license ([LICENSE-MIT] or https://opensource.org/licenses/MIT)
at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in ambient-id by you, as defined in the Apache-2.0 license, shall be dually licensed as above, without any additional terms or conditions.

Made by Astral