Open
Description
Description:
I am calling the sam pipeline bootstrap with Gitlab as the OIDC provider with an own Gitlab instance hosted on e.g. https://own-gitlab.com. This creates an identity provider with the name own-gitlab.com/ (mind the trailing slash) and the audience https://own-gitlab.com which fails to assume role later.
Steps to reproduce:
Run the CLI command
sam pipeline bootstrap --no-interactive --no-create-image-repository --no-confirm-changeset \
--stage dev --region eu-central-1 \
--permissions-provider oidc --oidc-provider gitlab \
--oidc-provider-url https://own-gitlab.com \
--oidc-client-id https://own-gitlab.com \
--gitlab-group bar --gitlab-project foo
Observed result:
Creates the Identity provider own-gitlab.com/ (trailing slash) with audience https://own-gitlab.com.
This leads to an error for assume-role command later:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://own-gitlab.com/
Expected result:
Identity provider own-gitlab.com ( WITHOUT the trailing slash) with audience https://own-gitlab.com should be created.
Additional environment details (Ex: Windows, Mac, Amazon Linux etc)
{
"version": "1.122.0",
"system": {
"python": "3.12.5",
"os": "macOS-14.6.1-arm64-arm-64bit"
},
"additional_dependencies": {
"docker_engine": "25.0.5",
"aws_cdk": "Not available",
"terraform": "1.9.4"
},
"available_beta_feature_env_vars": [
"SAM_CLI_BETA_FEATURES",
"SAM_CLI_BETA_BUILD_PERFORMANCE",
"SAM_CLI_BETA_TERRAFORM_SUPPORT",
"SAM_CLI_BETA_RUST_CARGO_LAMBDA"
]
}
Add --debug flag to command you are running