Secretless Authorization (Using OIDC)

← Back to Changelog A light orange image with a padlock. The header image for the changelog announcement for secretless Gitpod workspaces announcement post.

A light orange image with a padlock. The header image for the changelog announcement for secretless Gitpod workspaces announcement post.

July 12, 2023

Secretless Authorization (Using OIDC)

With Gitpod you can use OIDC to connect Gitpod workspaces to cloud providers or third parties such as AWS, Azure, GCP, or secret management services like Vault. Using OIDC integration eliminates the need to manually distribute access credentials, secrets, and other key material via other methods such as environment variables.
Use gp idp token in any workspace (works in .gitpod.yml and with prebuilds) to retrieve the workspace JWT token for exchange with the OIDC supporting 3rd party.

Getting started

ℹ️ Note: The following shows how you can connect AWS to a Gitpod Cloud workspace. Steps can vary based on the 3rd party you are integrating and the domain of your Gitpod installation, see the documentation below for details.

Setup Gitpod as an AWS Identity Provider (Using https://api.gitpod.io/idp as the Audience).
Create an AWS role with permissions to perform sts:AssumeRoleWithWebIdentity.
Update your .gitpod.yml to exchange your workspace JWT token for an access token.

language:

bash

gp idp login aws --role-arn <your-iam-role-arn>
aws secretsmanager get-secret-value --secret-id database_connection_string

See Workspace OIDC and the AWS Integration Guide for more.