Using OpenID Connect Tokens
OpenID Connect (OIDC) allows your deployments to exchange short-lived tokens directly from your cloud provider. env zero provides an OIDC token (JWT) as an environment variable. A deployment can use this to access compatible cloud services without a long-lived credential stored in env zero.Token versions: v2 (per-provider audience) and v1 (legacy)
env zero issues OIDC tokens in two formats, selected per credential:- v2 (recommended) - each cloud provider receives a token whose
audclaim identifies that provider (for example,sts.amazonaws.comfor AWS). A token minted for one provider is not valid against another, which closes the token-substitution (“confused deputy”) risk described in RFC 8725. - v1 (legacy) - every provider in a deployment receives the same token, whose
audclaim ishttps://prod.env0.com. This is the original behavior and remains the default for existing credentials. AWS is the exception on the configuration side: because v1 tokens also carry anazpclaim, AWS matches<provider>:audagainstazp, so AWS v1 trust is keyed on the env zero client ID (hoMiq9PdkRh9LUvVpH4wIErWg50VSG1b) rather than onhttps://prod.env0.com(theaudclaim itself is unchanged).
v2 tokens also omit the deprecated
https://env0.com/* namespaced claims. If you condition trust on any of those, switch to the non-namespaced equivalents before enabling v2.Enabling OIDC Token Availability
A JWT token could be available during deployment as an environment variable calledENV0_OIDC_TOKEN.
This feature can be enabled by selecting an OIDC credential when creating a credential in the organization’s credentials page.In addition, organization admins can enable this feature by toggling the related checkbox in the organization’s policies tab.

Setting Up Your 3rd Party Service Integration
Consult your 3rd party service’s documentation for how to add an identity provider.For example, Vault’s JWT Authentication, or AWS’s Creating OpenID Connect (OIDC) identity providers. The OIDC token is unique to your organization. The custom claims attached to the token contain your organization ID. You can find your env zero organization ID by navigating to the Organization Settings page in our web app and copying the UUID from the URL. The token’s
aud claim depends on the credential’s token version: provider-specific for v2 credentials, or https://prod.env0.com for v1 (the same for every provider). For AWS v1 you configure trust on the env zero client ID rather than this aud value, because v1 tokens carry an azp claim. See Token versions above.
Format of the OpenID Connect ID token
The OpenID Connect ID token contains the following standard claims.
The OpenID Connect ID token also contains some additional custom claims that you should validate:
Specific AWS Session Tags:
In addition to the claims mentioned above, there is also a specific section for AWS tags inside ahttps://aws.amazon.com/tags and inside principal_tags:
Here is an example of a full JWT Token. The example below is a v1 token. A v2 token differs in three ways:
aud is the provider-specific value (see Token versions), the azp claim is absent (replaced by client_id), and the deprecated https://env0.com/* claims are omitted. The iss is unchanged:
Custom Claims
You can add a custom claim to the OIDC token by setting theENV0_OIDC_TAG environment variable in env zero.
Usage:
- Set
ENV0_OIDC_TAGas an environment variable in env zero. - The value is included in the token as both
env0Tagandhttps://env0.com/env0Tagclaims. - For AWS integrations, it is also included in the
https://aws.amazon.com/tagsprincipal_tags.
ENV0_OIDC_TAG=production-workload, the token includes:
Using claims in IAM trust policies
Becauseenv0Tag is user-controlled, it is not safe as an authorization gate. Use system-issued claims (organizationId, projectId, environmentId, templateId) for IAM trust conditions instead, and keep env0Tag for informational use only.
The examples below use aws:PrincipalTag/<claim>. aws:RequestTag/<claim> is also valid in AWS trust policies and can be used interchangeably for these conditions.
Unsafe vs. safe examples
Unsafe,env0Tag is user-controlled:
ENV0_OIDC_TAG=my-secret-string can assume this role.
Safe, bind to immutable org identity:
Which claims are safe for trust conditions?
JWT Verification
JWT signatures will be verified against public keys from the issuer.A JSON Web Key Set (JWKS) URL should be configured on your 3rd party service side.
Keys will be fetched from this endpoint during authentication.
Our JWKS URL is:
https://login.app.env0.com/.well-known/jwks.json
Next steps
- OIDC for AWS - Configure OIDC authentication for AWS environments.
- OIDC for Azure - Configure OIDC authentication for Azure environments.
- OIDC for GCP - Configure OIDC authentication for GCP environments.
- OIDC for Vault - Use OIDC tokens to authenticate with HashiCorp Vault.