feat: add OIDC credential auto-discovery by cloudsmith-iduffy · Pull Request #276 · cloudsmith-io/cloudsmith-cli

cloudsmith-iduffy · 2026-03-13T22:26:49Z

Add a new OIDC credential provider to the credential chain that
automatically detects CI/CD environments, retrieves a vendor OIDC JWT,
and exchanges it for a short-lived Cloudsmith API token.

Key changes:

New OidcProvider in the credential provider chain (lowest priority)
AWS environment detector using boto3/STS (optional aws extra)
OIDC token exchange
Token caching via system keyring with filesystem fallback
whoami command updated to display OIDC auth source
README updated with optional dependency install instructions

Add AWS OIDC support as the final provider in the credential chain (Keyring → CLIFlag → OIDC). When CLOUDSMITH_ORG and CLOUDSMITH_SERVICE_SLUG are set, the CLI auto-detects the CI/CD environment, retrieves a vendor OIDC JWT via STS GetWebIdentityToken, and exchanges it for a short-lived Cloudsmith API token. - AWS detector with boto3 session reuse and default audience ('cloudsmith') - Token cache (keyring with filesystem fallback) checked before detection - OIDC token exchange against POST /openid/{org}/ - CLI options: --oidc-org, --oidc-service-slug, --oidc-audience, --oidc-discovery-disabled - Optional dependency: pip install cloudsmith-cli[aws] - Warning-level logs on OIDC failures for CI/CD debuggability Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

cloudsmith-iduffy requested a review from a team as a code owner March 13, 2026 22:26

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 595f343 to 267a002 Compare March 14, 2026 13:42

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from fd065ae to 8b57884 Compare March 14, 2026 14:01

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 267a002 to 34c3c6d Compare March 14, 2026 14:03

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from 8b57884 to 0b0445c Compare March 14, 2026 14:06

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 34c3c6d to 62358e8 Compare March 14, 2026 14:08

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from 0b0445c to 987c32f Compare March 14, 2026 14:10

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch 2 times, most recently from 4586a50 to 603470a Compare March 14, 2026 14:14

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from 987c32f to 65d8c53 Compare March 14, 2026 14:17

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 603470a to ea65f83 Compare March 14, 2026 14:18

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from 65d8c53 to 646c50a Compare March 14, 2026 14:23

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from ea65f83 to d47d674 Compare March 14, 2026 14:23

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from 646c50a to 5c2b23d Compare March 14, 2026 14:26

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch 3 times, most recently from 6d0be0f to 0070269 Compare March 14, 2026 14:39

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch from 6e1792c to 8862812 Compare March 14, 2026 14:43

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 0070269 to 97c2c36 Compare March 14, 2026 14:44

cloudsmith-iduffy marked this pull request as draft March 14, 2026 14:49

cloudsmith-iduffy force-pushed the iduffy/credential-provider-chain branch 2 times, most recently from 368db92 to a60887d Compare March 15, 2026 10:34

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 6d3bf75 to 757e6e3 Compare March 15, 2026 13:59

cloudsmith-iduffy and others added 2 commits March 15, 2026 21:58

refactor: remove CI/CD environment references from OIDC code

6ac94b8

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

cloudsmith-iduffy force-pushed the iduffy/oidc-base branch from 04708a3 to 6ac94b8 Compare March 15, 2026 21:58

cloudsmith-iduffy changed the title ~~feat: add OIDC credential auto-discovery for CI/CD environments~~ feat: add OIDC credential auto-discovery Mar 15, 2026

cloudsmith-iduffy marked this pull request as ready for review March 15, 2026 22:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add OIDC credential auto-discovery#276

feat: add OIDC credential auto-discovery#276
cloudsmith-iduffy wants to merge 2 commits intoiduffy/credential-provider-chainfrom
iduffy/oidc-base

cloudsmith-iduffy commented Mar 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

Conversation

cloudsmith-iduffy commented Mar 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

cloudsmith-iduffy commented Mar 13, 2026 •

edited

Loading