Docs feedback: clarify that GitLab instance must be publicly available in order to configure OpenID Connect in AWS to retrieve temporary credentials
The Troubleshooting section of the Configure OpenID Connect in AWS to retrieve temporary credentials docs should have information about what folks should do to troubleshoot when they get errors like:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements
This error can happen when the GitLab instance is not publicly accessible.
There is more information about this requirement in the How can I resolve the AWS STS AssumeRoleWithWebIdentity API call error "InvalidIdentityToken"? Knowledge Center article. It would probably be good to link folks there for more information.
💡 Ideas
I would propose doing both of these items. We'll give folks the information about the prerequisite when they are first configuring this. They'll also be able to find the information in the Troubleshooting section.
-
Update the Add the identity provider section of the docs to note that the GitLab instance should be publicly available -
Add a new troubleshooting section letting folks know that if they get the error described above that they should do one of the following: - make their GitLab instance publicly available
- follow the #391928 issue