How to use GitLab Pipelines without AWS credentials in four easy steps

We’ve already shared two useful guides on how to configure IAM Roles with GitHub Actions and Bitbucket Pipelines,  both showing how to connect your CI/CD to AWS without using long-term credentials.

If you are interested, check them out here:

• GitHub Actions without AWS credentials

• How to use Bitbucket pipelines without AWS credentials

Now, we’re wrapping up this security-focused series with a third post showing you how to configure IAM Roles for GitLab Pipelines using OIDC — completing the full setup across the three most popular cloud-based Git platforms.

In this post, you’ll find how to configure your CI/CD to deploy to AWS while applying the principle of least privilege and leveraging temporary credentials.

Spoiler alert! Setting this up in GitLab is actually simpler than in GitHub or Bitbucket.

Step 1 - Configure the Identity Provider

Start by adding GitLab as an OpenID Connect (OIDC) Identity Provider in your AWS account.

To do this:

1. Open the IAM (Identity and Access Management) service in AWS.

2. Under Access management, go to Identity providers and click Add provider.

3. Configure it as follows:

   • Provider type: OpenID Connect

   • Provider URL: https://gitlab.com

   • Audience: https://gitlab.com

4. Click Add provider — and you’re done with this step.

Step 2 - Create an IAM Role

Next, create an IAM Role that trusts GitLab as the identity provider.

1. In IAM, go to Roles and click Create role.

2. Under Trusted entity type, choose Custom trust policy and paste the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/gitlab.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "gitlab.com:sub": [
                        "project_path:<GITLAB_NAMESPACE>/<PROJECT_NAME_1>:ref_type:branch:ref:*",
                        "project_path:<GITLAB_NAMESPACE>/<PROJECT_NAME_2>:ref_type:branch:ref:*"
                    ]
                }
            }
        }
    ]
}

3. Then, attach the necessary permission policies, provide a name and (optionally) a description for the role, and click Create role.

Step 3 - Create a custom IAM Policy for GitLab

Because we’re giving a third-party service access to our AWS account, we should be as restrictive as possible, granting only the strictly necessary permissions, following the principle of least privilege.

To create a custom policy and attach it to the role from Step 2:

1. In IAM, open Policies and click Create policy.

2. Switch to the JSON tab to define actions, resources, and conditions.

   •  Clearly specify what actions are allowed and on which resources they apply.

     
     

For example, the following policy grants permission to upload objects to an S3 bucket named frontend and perform cache invalidations on a specific CloudFront distribution:

3. Once done, name your policy, add an optional description, and click Create policy.

Step 4 - Attach the custom IAM policy to the role

Finally, attach the policy you just created to the IAM Role:

1. Open the IAM Role from Step 2.

2. Under Permissions policies, click Add permissions > Attach policies.

3. Select the new policy and click Add permissions.

And that’s all! Your GitLab pipeline is now configured to deploy securely to AWS using OIDC authentication.

Ignacio Rubio

Solutions Architect