OIDC Federation Reference
Secure backend access with OIDC federation is available on all plans
Vercel provides helper libraries to make it easier to exchange the OIDC token for short-lived credentials with your cloud provider. They are available from the @vercel/oidc and @vercel/oidc-aws-credentials-provider packages on npm.
is a helper function that returns a function that can be used as the property of the AWS SDK client. It exchanges the OIDC token for short-lived credentials with AWS by calling the operation.
returns the OIDC token from the environment variable in builds and local development environments or the in Vercel functions.
In the Vercel function environments, you cannot execute the function directly at the module level because the token is only available in the object as the header.
If you change the name of your team or project, the claims within the OIDC token will reflect the new names. This can affect your trust and access control policies. You should consider this when you plan to rename your team or project and update your policies accordingly.
AWS roles can support multiple conditions so you can allow access to both the old and new team and project names. The following example shows when the issuer mode is set to global:
If your project is using the issuer mode, you will need to create a new OIDC provider and add another statement to the trust policy:
You can validate OpenID Connect tokens by using the issuer's OpenID Connect Discovery Well Known location, which is either or depending on the issuer mode in your project settings. There, you can find a property called which provides a URI to Vercel's public JSON Web Keys (JWKs). You can use the corresponding JWK identified by to verify tokens that are signed with the same in the token's header.
This is a list of standard tokens that you can expect from an OpenID Connect JWT:
| Claim | Kind | Description |
|---|---|---|
| Issuer | When using the team issuer mode, the issuer is set to When using the global issuer mode, the issuer is set to | |
| Audience | The audience is set to | |
| Subject | The subject is set to | |
| Issued at | The time the token was created | |
| Not before | The token is not valid before this time | |
| Expires at | The time the token has or will expire. and tokens expire one hour after creation, tokens expire in 12 hours. |
These claims provide more granular access control:
| Claim | Description |
|---|---|
| The team slug, e.g. | |
| The team ID, e.g. | |
| The project name, e.g. | |
| The project ID, e.g. | |
| The environment: or or | |
| When environment is , this is the ID of the user who was issued the token |
These headers are standard to the JWT tokens:
| Header | Kind | Description |
|---|---|---|
| Algorithm | The algorithm used by the issuer | |
| Key ID | The identifier of the key used to sign the token | |
| Type | The type of token, this is set to . |
Was this helpful?