This article explains how to set up OpenID Connect (OIDC) between GitLab CI/CD and AWS for secure, federated access to AWS environments.

• OIDC provides granular, secure authentication compared to storing AWS keys or using instance roles
• Configure an OIDC identity provider in AWS IAM to trust GitLab.com
• Create IAM roles with conditions limiting access to specific GitLab groups, projects, or branches
• Store role ARN and region as GitLab CI variables for pipeline jobs
• Enable JWT tokens in GitLab jobs with matching audience value from IdP
• Use AWS CLI with web identity federation to assume roles with temporary credentials
• Example deployment job demonstrates ECS updates using OIDC authentication
• OIDC offers better security and granularity but requires more configuration than alternatives

OIDC federation between GitLab and AWS enables secure, temporary credential access with fine-grained control at the branch level, making it ideal for hardening CI/CD pipelines accessing AWS services.