debug(oidc): print decoded JWT payload to diagnose audience mismatch

2026-04-16 11:58:19 -06:00
parent 18b436e582
commit 4791fdcae6
1 changed files with 11 additions and 0 deletions
@@ -53,6 +53,17 @@ echo "Session Name  : $SESSION_NAME"
 echo "Token file    : $AWS_WEB_IDENTITY_TOKEN_FILE"
 echo "Obteniendo credenciales temporales via STS..."

+echo "=== Decoding OIDC Token ==="
+python3 -c "
+import json, base64, sys
+t = open('${BITBUCKET_STEP_OIDC_TOKEN}').read().strip()
+payload = t.split('.')[1]
+padding = 4 - len(payload) % 4
+if padding != 4: payload += '=' * padding
+print(json.dumps(json.loads(base64.b64decode(payload)), indent=2))
+"
+echo "==========================="
+
 CREDS=$(aws sts assume-role-with-web-identity \
  --role-arn "$AWS_ROLE_ARN" \
  --role-session-name "$SESSION_NAME" \