Issue with the "OpenID Connect" doc
reconbot opened this issue · 4 comments
I found an issue with this document.
Title: OpenID Connect
Location: https://fly.io/docs/reference/openid-connect/
Source: https://github.com/superfly/docs/blob/main/reference/openid-connect.html.markerb
Describe the issue
It walks us through setting up connecting to aws but doesn't actually tell us how to use the tokens to connect to aws. Googling I found this forum post which describes what's going on.
We’ve also baked some extra magic into this if you’re using this to access AWS services. Nothing too fancy though, we write the token to a file at /.fly/oidc_token every 9 minutes to keep it fresh and set the AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_SESSION_NAME environment variables. The AWS SDK handles the rest!
The AWS SDK handles the rest as long as you've also set AWS_ROLE_ARN. All this should be in the article.
Addtional info
Finish walking us through what's going on! I've used OIDC but never like this, I'm thankful this is an education in OIDC as well as fly.io.
@moss-fly
Do you think we should put any of the community post content into the doc?
@andie787 adding another section here about what's going on under the hood for the AWS magic is probbaly a good idea. I can put it on my todo list but I've got a few things I need to sort out first.
Debugging information would also be really good, I've had a machine that stops authenticating complaining about bad tokens. I wasn't able to grab enough detail so I added it to a health check and haven't seen it again, but it took a bit of digging to figure out the mechanics.
That's a good point, I'm not too sure if there's much more advice to be given other than send us an email with the request's trace ID. I'd love to hear more about your bad tokens error if it comes up again!