Skip to content

add a retry to retrieve the CIRCLE_OIDC_TOKEN if it doesn't exist in … #221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 16, 2025
Merged

add a retry to retrieve the CIRCLE_OIDC_TOKEN if it doesn't exist in … #221

merged 2 commits into from
Apr 16, 2025

Conversation

@imlogang
Copy link
Contributor

Checklist

  • All new jobs, commands, executors, parameters have descriptions
  • Examples have been added for any significant new features
  • README has been updated, if necessary

Motivation, issues

Sometimes, the CIRCLE_OIDC_TOKEN/V2 is missing from a job.
With the CircleCI CLI in jobs, you can configure a new token based on any audience.
This utilizes the built-in CIRCLE_ORGANIZATION_ID environment variable as the audience, similar to the current token that's injected into your job.

Description

Currently, the AWS CLI Orb errors out, which requires you to rerun the workflow.
This provides a retry mechanism to try 3 times to retrieve a new token based on the

@imlogang imlogang requested a review from a team as a code owner April 16, 2025 16:44
@anthony-j-castro anthony-j-castro requested a review from a team April 16, 2025 16:59
@marboledacci marboledacci merged commit c4143ac into CircleCI-Public:master Apr 16, 2025
2 checks passed
ohjinsoo
ohjinsoo reviewed Apr 17, 2025
View reviewed changes
src/scripts/assume_role_with_web_identity.sh
echo "Successfully set CIRCLE_OIDC_TOKEN"
echo 'export CIRCLE_OIDC_TOKEN="'"$CIRCLE_OIDC_TOKEN"'"' >> "$BASH_ENV"
echo 'export CIRCLE_OIDC_TOKEN_V2="'"$CIRCLE_OIDC_TOKEN"'"' >> "$BASH_ENV"
exit 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi I was reviewing the script and was wondering why we would want to exit out of here? Wouldn't we want to exit the for loop and continue the script?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ohjinsoo!

In this version of this script, if the exit 0 was not there, even if it were able to get a new token, it would trigger the last echo "failed to set ..." message.
The exit 0 in this case exits the scripts entirely once we confirm that we have a token set.

Copy link
Contributor

@ohjinsoo ohjinsoo Apr 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, but the command aws-cli/setup is used to setup AWS creds. By exiting here, you won't be setting AWS creds, and you'd have to run the same command again which doesn't seem ideal.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I've created a new PR for this #224

@imlogang imlogang mentioned this pull request Apr 18, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marboledacci marboledacci marboledacci approved these changes

+1 more reviewer

@ohjinsoo ohjinsoo ohjinsoo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@imlogang @ohjinsoo @marboledacci