OpenID Connect on Render

Authenticate Render services with AWS using OIDC.

OIDC support is currently in closed alpha.

You can configure your Render services to authenticate with AWS securely using OpenID Connect (OIDC). Render manages a short-lived authentication token for each service that automatically rotates as needed.

First-time setup

1. Add Render as an AWS Identity Provider

From your IAM Dashboard in the AWS Management Console, navigate to Identity Providers.

Add a new provider with the following settings:

Provider Type

OpenID Connect

Provider URL

oidc.render.com/{YOUR_WORKSPACE_ID}

Replace {YOUR_WORKSPACE_ID} with your workspace's ID, available from the top of its Settings page in the Render Dashboard (starts with tea-).

Audience

sts.amazonaws.com

Click Add provider.
Copy the ARN for the newly created provider. You'll use this value when configuring trust relationships for AWS roles in the next step.

2. Associate AWS roles with Render's OIDC identity

Do the following for each AWS role you want to assign to your Render services:

From your IAM Dashboard in the AWS Management Console, navigate to Roles.
Create a new Custom trust policy role (or modify an existing one).

Under Trust Relationship, add the highlighted object to the Statement array, substituting your provider ARN and workspace ID where indicated:

json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "{YOUR_PROVIDER_ARN}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.render.com/{YOUR_WORKSPACE_ID}:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Optionally, you can add finer-grained validation on the OIDC subject by checking the oidc.render.com/{WORKSPACE_ID}:sub value, which has the following format:
plaintext
```
workspace:{WORKSPACE_ID}:environment:{ENVIRONMENT_ID}:service:{SERVICE_ID}
```
- To obtain an environment's ID, open its Settings page in the Render Dashboard and copy its ID from the URL. This value starts with evm-.
- For services that don't belong to any environment, the value of ENVIRONMENT_ID is default.
Here are some example Conditions that you can use to limit the role to specific services:
json
```
// Limit to services in workspace `tea-abc123`
// that belong to environment `evm-def456`
"StringLike": {
    "oidc.render.com/{YOUR_WORKSPACE_ID}:sub": "workspace:tea-abc123:environment:evm-def456:service:*"
}

// Limit to the single service with ID `srv-ghi789`
"StringLike": {
    "oidc.render.com/{YOUR_WORKSPACE_ID}:sub": "workspace:*:environment:*:service:srv-ghi789"
}
```

After you've created and updated your roles, copy their ARN values. You'll use these values when assigning roles to individual Render services in the next section.

Connecting individual services

After you complete first-time setup, you can configure individual Render services to authenticate with AWS.

Do the following for each service you want to connect:

Add an environment variable named AWS_ROLE_ARN to your service. Set its value to the ARN of the role you want to assign to the service.
- You can assign only one role per service.
Redeploy the service with the new environment variable.

During the deploy, Render detects the new environment variable and automatically sets an additional environment variable named AWS_WEB_IDENTITY_TOKEN_FILE to the file path of your service's OIDC credentials.

Do not manually set the AWS_WEB_IDENTITY_TOKEN_FILE environment variable.

If you do, it might not match the credentials Render automatically sets.

Troubleshooting

"No OpenIDConnect provider found in your account for https://oidc.render.com/WORKSPACE_ID"

The AWS identity provider configuration for Render was not set up correctly. Make sure that your Provider URL matches the URL in the error message.