credctl setup aws
Synopsis
credctl setup aws [flags]Description
credctl setup aws deploys a CloudFormation stack that creates the AWS infrastructure required for credctl’s OIDC federation:
- S3 bucket — hosts OIDC discovery document and JWKS
- CloudFront distribution — serves OIDC documents over HTTPS (acts as the issuer URL)
- IAM OIDC provider — configured to trust the CloudFront-hosted OIDC issuer
- IAM role — trusts the OIDC provider, with the specified policy attached
After the stack deploys, the command automatically runs oidc generate and oidc publish to upload the OIDC discovery documents. Configuration is written to ~/.credctl/config.json.
Requires the AWS CLI to be installed and configured with sufficient IAM permissions.
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--policy-arn | string | — | IAM managed policy ARN to attach to the created role. Required. |
--stack-name | string | credctl-infra | CloudFormation stack name. |
--role-name | string | credctl-device-role | Name for the IAM role to create. |
--region | string | us-east-1 | AWS region for the CloudFormation stack. |
Examples
Basic setup with a policy ARN
credctl setup aws --policy-arn arn:aws:iam::123456789012:policy/MyDevPolicyDeploying CloudFormation stack 'credctl-infra' in us-east-1...Waiting for stack to complete...
Stack outputs: Issuer URL: https://d1234567890.cloudfront.net Role ARN: arn:aws:iam::123456789012:role/credctl-device-role S3 Bucket: credctl-oidc-123456789012
Generating OIDC documents...Publishing OIDC documents...AWS setup complete. Configure your AWS CLI: echo '[profile credctl]\ncredential_process = credctl auth' >> ~/.aws/configCustom stack name and region
credctl setup aws \ --policy-arn arn:aws:iam::123456789012:policy/StagingPolicy \ --stack-name credctl-staging \ --role-name credctl-staging-role \ --region eu-west-1Exit codes
| Code | Meaning |
|---|---|
| 0 | AWS infrastructure created and configured successfully |
| 1 | Error (device not initialised, CloudFormation failure, or other error) |
See also
credctl auth— authenticate using the created infrastructurecredctl oidc generate— generate OIDC documents manuallycredctl oidc publish— publish OIDC documents manually- AWS setup guide — detailed walkthrough and manual Terraform alternative
- Troubleshooting — CloudFormation error solutions