---
title: "Authenticate to Cloudsmith with Your AWS Identity"
description: "Secure your build pipelines by exchanging AWS IAM identities for short-lived Cloudsmith access tokens. Move beyond manual API key rotation and enhance your security posture with this streamlined OIDC integration."
canonical_url: "https://cloudsmith.com/blog/authenticate-to-cloudsmith-with-your-aws-identity"
last_updated: "2026-01-05T18:27:00.000Z"
---
# Authenticate to Cloudsmith with Your AWS Identity

If you're running workloads in AWS, you're already managing IAM credentials. Wouldn't it be great if those same credentials could authenticate your services with Cloudsmith without creating, storing, or rotating yet another API key?



That's exactly what AWS's new [outbound identity federation](https://aws.amazon.com/blogs/aws/simplify-access-to-external-services-using-aws-iam-outbound-identity-federation/) enables when paired with [Cloudsmith's OIDC support](https://help.cloudsmith.io/docs/openid-connect). Your AWS workloads can now exchange their IAM identity for short-lived Cloudsmith tokens on the fly. No long-lived secrets sitting in environment variables. No API keys to rotate. Just cryptographically signed, time-limited credentials.

## What's Happening Under the Hood?

The magic happens through [AWS STS (Security Token Service)](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetWebIdentityToken.html), which can now issue signed JSON Web Tokens (JWTs) that external services like Cloudsmith can verify and trust. Here's the flow:



1. Your AWS workload calls STS and asks for an OIDC token, specifying Cloudsmith as the intended audience
2. STS returns a cryptographically signed JWT containing your AWS identity information
3. You pass this token to Cloudsmith's OIDC endpoint
4. Cloudsmith fetches AWS's public verification keys and validates the token's signature
5. If everything checks out, Cloudsmith hands back a short-lived JWT you can use for API calls
6. You're authenticated, no API key required



```json
{
  "_key": "3f7d784ab50c",
  "_type": "image",
  "alt": "AWS STS and Cloudsmith integration",
  "asset": {
    "_createdAt": "2026-03-19T15:23:38Z",
    "_id": "image-9fa6def9280daa312ed69c4b9831c43dbdea5b6b-7312x5310-png",
    "_rev": "4NL7OYzuc0j9O28koTGWba",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-03-19T15:23:38Z",
    "assetId": "9fa6def9280daa312ed69c4b9831c43dbdea5b6b",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "VJRC[F7QrC%MXUrrT1Myxr-nS$NKNLoyt2t8t7xWRnIq",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.377024482109228,
        "height": 5310,
        "width": 7312
      },
      "hasAlpha": true,
      "isOpaque": false,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAADEUlEQVR4nEWUW08cRxBG5//nxcovSB4SxYmE4ijYRojEJhgwhF0uCwu7wI4Ne2V359Jz6Vv1iWbAysPpbqmlr6vqq65IWySrCasCGtbf9hKUBuPAy/9IQwBxDpcnmMUjZv4QXLIQb2obJSXhegr/jqATQ/cLnLyc+5PAeO1JS0HVgUIL2greB1yZUw26qP0/UXtvKM92MctJiJ5y+HwHWz34eB34NAzsXMF2L3Aw9AynlkXmSJQjVY6ysjhtMcsZ6nib9P2PpO9+IN/dwEzuiRY5HNzC27PATs/x8cqyde7Z6gW6sTBPGhFHrR11pdGqwKQpRXzL6u8NZr9+z+z1K9bbP6PHd7xEGHh35tnsaDY7NZtdy3ZPOLv3LBaOqvAYLW1ktiyfBb/csdr9g8kvrxj/9B2rndfoaUyUFp7LuODgMmH/KufguuBwaDkZBW5iz2xsUamnrgRnBHEeby02T6niPup0F3XyV1tPl62JtDY8zWY8ju6ZPo6ZzZcskopVIWQqkOXCOgus8kBeCtYK4hthh1QFPl/jsxVSZIi1RCIOU2XU2RKtEkyVY6zGScB5WCroPT47P3gwJIsckylcWeFVhl8v8Kt5Kxy0JvISqIyjrBs8lfboJi0JWA/jNewNQuv6yXXF7HZGOZ5j1gluMcbcnWNuT3HTGF/kRIWGh5VwO28IxMtA0tTrJcKHdeBD37F1ZuneGVaLApPkuFxhZ18pLg9RF/vorwO8SomalDpx4J+BsHcjHN0L40SwTfN6+Lr0bJ0WbBymHN9qGhMbY0Tr5oeQXByy7OxRjfq4PG36MPDpxrXt8rar22hGS0dhHakxXM9rNjs5v+0nfB7WpOpF0Bjcak55f4UanKPHI7xSTR8G9m8svx8VvDkq+dA3jJaWp7pmpFKOxxnbVzXvm5RjT1Y0DgtiHb4qWzNc63LePhJlFWEwFU5GrqU/EZ6UkBvLvCoZrisuJ56LR4iXUJlACIEgDUIQ/4z3eC8hMg4pNaGZLA2lAdtOmIAVoXJCoUN7V9nniRPCN57FgWYREex/Ob1pLMe0wi8AAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#304f68",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#29445a",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#b4d4fc",
          "foreground": "#000",
          "population": 11.28,
          "title": "#000"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#b4d0ce",
          "foreground": "#000",
          "population": 0.11,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#b4d4fc",
          "foreground": "#000",
          "population": 11.28,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9a5151",
          "foreground": "#fff",
          "population": 0.39,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4d7fa8",
          "foreground": "#fff",
          "population": 0.59,
          "title": "#fff"
        }
      },
      "thumbHash": "uveBHIQPF63AwFiGCpt2sGqGgICICAiIAA=="
    },
    "mimeType": "image/png",
    "originalFilename": "Diagram_Authenticate to Cloudsmith with your AWS identity.png",
    "path": "images/rafvlnhi/production/9fa6def9280daa312ed69c4b9831c43dbdea5b6b-7312x5310.png",
    "sha1hash": "9fa6def9280daa312ed69c4b9831c43dbdea5b6b",
    "size": 690546,
    "uploadId": "NIIeuii4Qx4QiTG9u3nBg1xFlg0XhpIY",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/9fa6def9280daa312ed69c4b9831c43dbdea5b6b-7312x5310.png"
  },
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```

## Setting Things Up

There are three pieces to configure: AWS permissions, AWS external identity federation, and Cloudsmith OIDC settings. Let's walk through each.

## Grant Permission to Request Tokens

Your AWS role or user needs permission to call the `sts:GetWebIdentityToken` API. Add this policy to any IAM principal that needs to authenticate with Cloudsmith:



```json
{
  "_key": "eb816b4992bc",
  "_type": "code",
  "code": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"sts:GetWebIdentityToken\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\n",
  "filename": null,
  "language": "json",
  "markDefs": null
}
```

## Enable Outbound Identity Federation in AWS

Before your account can issue these external identity tokens, you need to flip the switch. Head to the [IAM console](https://console.aws.amazon.com/iam/), select **Account settings** under **Access management**, and enable outbound identity federation.



Once enabled, AWS generates a unique issuer URL for your account. This URL hosts the OIDC discovery endpoints that external services use to verify your tokens. It looks something like `https://{UUID}.tokens.sts.global.api.aws`. Keep this URL handy since you'll need it for the Cloudsmith configuration.



This endpoint exposes the standard `/.well-known/openid-configuration` which allowed Cloudsmith to fetch the required metadata to verify received tokens.

```json
{
  "_key": "03639c086569",
  "_type": "image",
  "alt": "AWS Cloudsmith integration enabled",
  "asset": {
    "_createdAt": "2025-12-22T18:36:30Z",
    "_id": "image-4373331c45bf349fe974c210d1cf27a9dfe59ee4-1966x986-png",
    "_rev": "gRvvnXg8wGQlAo1cT7Cgwc",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-12-22T18:36:30Z",
    "assetId": "4373331c45bf349fe974c210d1cf27a9dfe59ee4",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "M3Qc#Q00R-X9%N00Mx-p-p^+00_N?cNct8",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.9939148073022313,
        "height": 986,
        "width": 1966
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAABYlAAAWJQFJUiTwAAAB00lEQVR4nF2RSW/UQBCF/f8Q5ATKjT8ASoSCOCDxE7hxhiSMo0SKkgMjRUFIEISAzIUTSMns3pe23W577PYyD3VNzCQcPr3y0q+qXmuvzt/g8dFLPHq/g83ec+Lh/jPcf/cU9/aeYKO3hY3e9hq905v3+jYe9LawefgCO2evoX36/R2HP/rYuzjB/tdTYvfiBG+/HGP32yn0nx9wcNkn1S/vcjDoE/qgj+NfH/F5OIDm+B6uJ2P8ub7C1Wi4YqwYYTgZYzSbYjybkna1YmrOYTgWTMcmnMADzwS0MGSYzeeYTGdwHBe+7yMIAgQBQ8hiRFGCOE6QKBIFJ7IsQ1EUKMuSkFKiruvO0CBDz/PBUw6RCYh8gayQKGVNPxLNum7aFsvl8g5t20KLohimZWM+N+C6Hk0jVHfVtapRVbdMmmZF26Jp2vVz05CZUjK0LJumNAyTajVpnCTgaQrOOThXmkIIgXyxoFWLorzRglArk2GoDF0XjtdlF4IxhjiOKTOlLIrpu2W7UBGlQlCGqsGKVZ6UYZCksFgCluYopERVVYSUHRL5ooAfRjBtB0HIKBI1aZ7n/1CG6pyW5BVcXkJp1bSUxf+ovNSKWZ7TjVbdJd2iy/IvMR/TqLBJdKIAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4e6755",
          "foreground": "#fff",
          "population": 0.18,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#067d30",
          "foreground": "#fff",
          "population": 7.6,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#067d30",
          "foreground": "#fff",
          "population": 7.6,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#d1e2e7",
          "foreground": "#000",
          "population": 0.19,
          "title": "#000"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#f0fcf7",
          "foreground": "#000",
          "population": 2.55,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#858586",
          "foreground": "#fff",
          "population": 1.88,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4cc474",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image2.png",
    "path": "images/rafvlnhi/production/4373331c45bf349fe974c210d1cf27a9dfe59ee4-1966x986.png",
    "sha1hash": "4373331c45bf349fe974c210d1cf27a9dfe59ee4",
    "size": 265661,
    "uploadId": "Hzdv38M5sNrE0DOBWoHgnAiHl9Ds6v20",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/4373331c45bf349fe974c210d1cf27a9dfe59ee4-1966x986.png"
  },
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```

## Configure OIDC in Cloudsmith

Now tell Cloudsmith to trust tokens from your AWS account. Navigate to your Cloudsmith organization settings at **Settings > Authentication > OpenID Connect** and click **Create Provider Settings**.



Fill in the following:

```json
{
  "_key": "721a7898c57c",
  "_type": "tableBlock",
  "firstRowIsHeader": true,
  "markDefs": null,
  "table": {
    "rows": [
      {
        "_key": "82739206-f1db-46b0-bd4c-0165cd76dc11",
        "_type": "tableRow",
        "cells": [
          "Field",
          "Value"
        ]
      },
      {
        "_key": "d73cead3-4b3d-48a4-83b4-db5cb287ff28",
        "_type": "tableRow",
        "cells": [
          "Provider Name",
          "aws (or whatever makes sense for your setup)"
        ]
      },
      {
        "_key": "f91dd12c-91df-4f89-97e4-2843ebaf31d2",
        "_type": "tableRow",
        "cells": [
          "Provider URL",
          "Your AWS issuer URL from the previous step (the https://{UUID}.tokens.sts.global.api.aws URL)"
        ]
      },
      {
        "_key": "986cd4f0-a160-4690-975d-fa6633a7e7b2",
        "_type": "tableRow",
        "cells": [
          "Required OpenID Token Claims",
          "{\"aud\": \"cloudsmith\"}"
        ]
      },
      {
        "_key": "174b5096-ed94-4ecf-8a70-19713805f51b",
        "_type": "tableRow",
        "cells": [
          "Service Accounts",
          "Select the service account(s) this provider can authenticate as"
        ]
      }
    ]
  }
}
```

```json
{
  "_key": "28f1dd78a709",
  "_type": "image",
  "alt": "Cloudsmith provider settings for Amazon STS config",
  "asset": {
    "_createdAt": "2025-12-22T18:40:33Z",
    "_id": "image-19b24cc60ecbafaf83b65cce31c5dcfd6ecd132a-1042x1514-png",
    "_rev": "6JREj8pYRd45x3sbptrA5k",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-12-22T18:40:33Z",
    "assetId": "19b24cc60ecbafaf83b65cce31c5dcfd6ecd132a",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "dKRpIFogRixv~TWBRkoe9bWCs.fQ-:jtWBj[M|jtj@of",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 0.6882430647291942,
        "height": 1514,
        "width": 1042
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAYAAACqhkzFAAAACXBIWXMAABYlAAAWJQFJUiTwAAADeUlEQVR4nJWV244bRRCG/bDADdwBQuI9QBylbIi4JYAiJazECq4IJNFesBInh+xmvWt7Tn0+zfT8qHp67DFeL8HSp6opd/+u6q4az9ZMQmgLZRyUsVDWDeRnbR2M97A+HMQ4D6kdCiYxq7gCEwplw1E2DMVIzbCuGtRcwoWALsaDtF1MwrXQmNVcQSiNiomN6ABPgg2XCG2LHjhM3yO0HRqZBY31MKlMC21s8p0PCR9axEjbDn/6UZAypJJ1FpMTMSol9n2ifwVC26IRCrOKKWjjILRJoj4EtG2HLg5ir4rfCkpYR7foN4f/f4TiniBXG0GylGHXDaI7ZeWz6nvk77bPfS6Z7mNWMpFK5UqlFmFSQWq7zZps8qnn/KbvKEbW+eGI6PKSYFFzKG3RCJnbhqNqOGouUowJmXz6MWohsiXjqBIi9bDNwoNgw9PNEpIuZgpNTmZsJ+oI8hN5H5W7ybBsRApaN3w5ljOWNPgh9Rn14w50IcmPu2c4/lKySYhsFvf5nLruYE/GGLcZUtvQxtTY2iRoFAnKjoTGVjo0djG3zY4gnYlQBlIZcKHApYLzPpVEm24bu0iC0wypJDoDoiUbBp8yu+3TxggVPHQY2mkjSOo3z+hhMcqKe4d5U+G8qcGNAY3xkGGgbPqb6W+OtbFHYx3+rEq8qCswTYKSbllC2oBatih4yEx8EfbjgmyLFQ+4YhZr6SGMR8WzYCk85tcWZ+cKv2bOJvbsQuPsYhIj/0Ljt0uL+arFZR1RqRYllUyCtfJYVAHPlxbzpcXzlcXfK7fDi5Xfi50XAZdVxJL1aDQJ0n8Kk9DUh7aFMC2EDuA6pGfj6b+iHwjZTgk9XMb4djhDqlsah5obVJwae5iY8dU/MkzEPn2O0/qNIFMOi0LjZaHBVUAI3fBOvHFu9+m6f40e1x6rxuOq9qhlB2VjQt7CdI2yEcaN78NG4o+FxfGpxlc/Kdx/PPDNzwoPnig8eJrtE52twre/KHyd191/rPDdqcbvC4uCbnlZCRyfSrx/r8JrH6zx+ocDb35S4O07Jd49KvHOnS0Ue+vTAm/kdbTnvS8qPHwmsawlZtclw7O5wpc/cnz0sMHHjwY+O25w9D3D3ROGu6M9aXB0wvD58XYd7bn3A8fTvxSuS47ZxbLEsuK4LgUWa76lmPj/wVUpsKo4Xi5L/AMo9KxMmlCHTQAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3f726f",
          "foreground": "#fff",
          "population": 0.1,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1854c8",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#296edf",
          "foreground": "#fff",
          "population": 3.32,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#97abc7",
          "foreground": "#000",
          "population": 0.25,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#86aff5",
          "foreground": "#000",
          "population": 0.3,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7484a4",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#296edf",
          "foreground": "#fff",
          "population": 3.32,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image3.png",
    "path": "images/rafvlnhi/production/19b24cc60ecbafaf83b65cce31c5dcfd6ecd132a-1042x1514.png",
    "sha1hash": "19b24cc60ecbafaf83b65cce31c5dcfd6ecd132a",
    "size": 153404,
    "uploadId": "tiW3lnLVo0pGfHQdV91uz17dTu79vu6f",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/19b24cc60ecbafaf83b65cce31c5dcfd6ecd132a-1042x1514.png"
  },
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```

## Getting Your Tokens

With everything configured, here's how to actually authenticate from your AWS workloads.

## Grab a Token from AWS STS

Using the AWS CLI:

```json
{
  "_key": "332fdbcd3528",
  "_type": "code",
  "code": "OIDC_TOKEN=$(aws sts get-web-identity-token \\\n  --audience cloudsmith \\\n  --signing-algorithm RS256 \\\n  --query 'WebIdentityToken' \\\n  --output text)",
  "filename": null,
  "language": "shell",
  "markDefs": null
}
```

- **`--audience`** must match what you configured in Cloudsmith's required claims. We used `cloudsmith` above.
- **`--signing-algorithm`** accepts either `RS256` or `ES384`. Both work fine.

## Exchange It for a Cloudsmith JWT

Now swap that AWS token for Cloudsmith credentials:

```json
{
  "_key": "4553629c06fe",
  "_type": "code",
  "code": "SERVICE_SLUG=\"your-service-account-slug\"\nORG_SLUG=\"your-cloudsmith-org\"\n\nCLOUDSMITH_JWT=$(curl -s -X POST \\\n  \"https://api.cloudsmith.io/openid/${ORG_SLUG}/\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"oidc_token\\\": \\\"${OIDC_TOKEN}\\\", \\\"service_slug\\\": \\\"${SERVICE_SLUG}\\\"}\" \\\n  | jq -r '.token')",
  "filename": null,
  "language": "shell",
  "markDefs": null
}
```

Replace `your-service-account-slug` with your Cloudsmith service account slug, and `your-cloudsmith-org` with your Cloudsmith organization identifier.

## Verify It Works

Test your credentials:

```json
{
  "_key": "d4cd7caff1fe",
  "_type": "code",
  "code": "curl -s -H \"Authorization: Bearer ${CLOUDSMITH_JWT}\" \\\n  \"https://api.cloudsmith.io/v1/user/self/\" | jq",
  "filename": null,
  "language": "shell",
  "markDefs": null
}
```

If everything's configured correctly, you'll see something like:

```json
{
  "_key": "3e379cfb049f",
  "_type": "code",
  "code": "{\n  \"authenticated\": true,\n  \"name\": \"aws-pipeline\",\n  \"slug\": \"aws-pipeline\",\n  \"slug_perm\": \"Ne67GhNtJOe7\",\n  \"self_url\": \"https://api.cloudsmith.io/v1/user/self/\"\n}\n",
  "filename": null,
  "language": "json",
  "markDefs": null
}
```

## Where This Shines

This pattern works anywhere you have an AWS IAM identity. The short-lived nature of both tokens keeps things secure, and you're leveraging identity you're already managing.



**EC2 instances** can use their instance profile to request OIDC tokens. Add the token exchange to your startup scripts or application initialization.



**ECS and Fargate tasks** work the same way through task roles. Grab a token during container startup or lazily when you first need Cloudsmith access.



**Lambda functions** can request tokens during cold start or on-demand within your function code. The overhead is minimal because both API calls are quick.



**CodeBuild, CodePipeline, and other AWS services** with an IAM role attached can participate. Build pipelines become much cleaner without injected API key secrets.

## Wrapping Up

AWS outbound identity federation combined with Cloudsmith's OIDC support is a clean solution for a common problem. You're extending trust from identity you already manage, exchanging it for short-lived credentials exactly when you need them, and eliminating the operational overhead of API key management.



No more secrets in environment variables. No more key rotation schedules. No more "who has access to that API key?" conversations.

For more details, check out the [AWS outbound identity federation documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_outbound.html) and [Cloudsmith's OIDC guide]().
