# OpenID Connect on Render — Authenticate Render services with AWS using OIDC.


> *OIDC support is currently in closed alpha.*

You can configure your Render services to authenticate with AWS securely using OpenID Connect (OIDC). Render manages a short-lived authentication token for each service that automatically rotates as needed.

## First-time setup

### 1. Add Render as an AWS Identity Provider

1. From your IAM Dashboard in the AWS Management Console, navigate to *Identity Providers*.
2. Add a new provider with the following settings:

| Column 1 | Column 2 |
| --- | --- |
| *Provider Type* | `OpenID Connect` |
| *Provider URL* | `oidc.render.com/{YOUR_WORKSPACE_ID}` Replace `{YOUR_WORKSPACE_ID}` with your workspace's ID, available from the top of its *Settings* page in the [Render Dashboard](https://dashboard.render.com) (starts with `tea-`). |
| *Audience* | `sts.amazonaws.com` |

3. Click *Add provider*.

4. Copy the *ARN* for the newly created provider. You'll use this value when configuring trust relationships for AWS roles in the next step.

### 2. Associate AWS roles with Render's OIDC identity

Do the following for _each_ AWS role you want to assign to your Render services:

1. From your IAM Dashboard in the AWS Management Console, navigate to *Roles*.
2. Create a new *Custom trust policy role* (or modify an existing one).
3. Under *Trust Relationship*, add the highlighted object to the `Statement` array, *substituting your provider ARN and workspace ID where indicated*:

    ```json{4-15}
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "{YOUR_PROVIDER_ARN}"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "oidc.render.com/{YOUR_WORKSPACE_ID}:aud": "sts.amazonaws.com"
                    }
                }
            }
        ]
    }
    ```

4. Optionally, you can add finer-grained validation on the OIDC subject by checking the `oidc.render.com/{WORKSPACE_ID}:sub` value, which has the following format:

    ```
    workspace:{WORKSPACE_ID}:environment:{ENVIRONMENT_ID}:service:{SERVICE_ID}
    ```

    - To obtain an [environment](projects)'s ID, open its Settings page in the [Render Dashboard](https://dashboard.render.com) and copy its ID from the URL. This value starts with `evm-`.
    - For services that don't belong to any environment, the value of `ENVIRONMENT_ID` is `default`.

    Here are some example `Condition`s that you can use to limit the role to specific services:

    ```json
    // Limit to services in workspace `tea-abc123`
    // that belong to environment `evm-def456`
    "StringLike": {
        "oidc.render.com/{YOUR_WORKSPACE_ID}:sub": "workspace:tea-abc123:environment:evm-def456:service:*"
    }

    // Limit to the single service with ID `srv-ghi789`
    "StringLike": {
        "oidc.render.com/{YOUR_WORKSPACE_ID}:sub": "workspace:*:environment:*:service:srv-ghi789"
    }
    ```

After you've created and updated your roles, copy their *ARN* values. You'll use these values when assigning roles to individual Render services in the next section.

## Connecting individual services

After you complete [first-time setup](#first-time-setup), you can configure individual Render services to authenticate with AWS.

Do the following for _each_ service you want to connect:

1. Add an environment variable named `AWS_ROLE_ARN` to your service. Set its value to the *ARN* of the role you want to assign to the service.
    - You can assign only one role per service.
2. Redeploy the service with the new environment variable.

During the deploy, Render detects the new environment variable and automatically sets an _additional_ environment variable named `AWS_WEB_IDENTITY_TOKEN_FILE` to the file path of your service's OIDC credentials.

> *Do not manually set the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable.*
>
> If you do, it might not match the credentials Render automatically sets.

## Troubleshooting

###### &quot;No OpenIDConnect provider found in your account for https://oidc.render.com/WORKSPACE_ID&quot;

The AWS identity provider configuration for Render was not set up correctly. Make sure that your *Provider URL* matches the URL in the error message.


---

##### Appendix: Glossary definitions

###### environment variable

Config values you can apply to a service to customize its behavior at build and runtime, such as `NODE_VERSION` or `OPENAI_API_KEY`.

Render sets some environment variables for your service by [default](environment-variables).

Related article: https://render.com/docs/configure-environment-variables.md