OpenID Connect for AWS

OIDC authentication to AWS is in public beta.

See beta limitations.

With a Pro workspace or higher, you can configure your Render services to authenticate with AWS using OpenID Connect (OIDC). Render manages a short-lived authentication token for each of your services that automatically rotates as needed.

First-time setup

1. Add Render as an AWS Identity Provider

1. From your IAM Dashboard in the AWS Management Console, navigate to Identity Providers.

2. Add a new provider with the following settings:

   Provider Type	OpenID Connect
   Provider URL	oidc.render.com/{YOUR_WORKSPACE_ID} Replace {YOUR_WORKSPACE_ID} with your workspace's ID, available from the top of its Settings page in the Render Dashboard (starts with tea-).
   Audience	sts.amazonaws.com

3. Click Add provider.

4. Copy the ARN for the newly created provider. You'll use this value when configuring trust relationships for AWS roles in the next step.

2. Associate AWS roles with Render's OIDC identity

Do the following for each AWS role you want to assign to your Render services:

1. From your IAM Dashboard in the AWS Management Console, navigate to Roles.

2. Create a new Custom trust policy role (or modify an existing one).

3. Under Trust Relationship, add the highlighted object to the Statement array, substituting your provider ARN and workspace ID where indicated:

4. Optionally, you can add finer-grained validation on the OIDC subject by checking the oidc.render.com/{WORKSPACE_ID}:sub value, which has the following format:

   • To obtain an environment's ID, open its Settings page in the Render Dashboard and copy its ID from the URL. This value starts with evm-.
   • For services that don't belong to any environment, the value of ENVIRONMENT_ID is default.

   Here are some example Conditions that you can use to limit the role to specific services:

After you've created and updated your roles, copy their ARN values. You'll use these values when assigning roles to individual Render services in the next section.

Connecting individual services

After you complete first-time setup, you can configure individual Render services to authenticate with AWS.

Do the following for each service you want to connect:

1. Add an environment variable named AWS_ROLE_ARN to your service. Set its value to the ARN of the role you want to assign to the service.
   • You can assign only one role per service.
2. Redeploy the service with the new environment variable.

During the deploy, Render detects the new environment variable and automatically sets an additional environment variable named AWS_WEB_IDENTITY_TOKEN_FILE to the file path of your service's OIDC credentials.

Do not manually set the AWS_WEB_IDENTITY_TOKEN_FILE environment variable.

If you do, it might not match the credentials Render automatically sets.

Beta limitations

These limitations will be addressed following the public beta period:

• Currently, OIDC auth is not available in your service's build environment, so your build command can't use it.
  • OIDC auth is available in the environment that runs your service's pre-deploy command (if you set one).
• OIDC auth does not currently enable image-backed services to pull private images from AWS ECR.
  • These services can pull private images from AWS ECR using a generated credential.

Troubleshooting