From 4791fdcae6ef18778ffbf032b8cd48cf50ad82e3 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 11:58:19 -0600
Subject: [PATCH] debug(oidc): print decoded JWT payload to diagnose audience
 mismatch

---
 scripts/aws-oidc-setup.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/scripts/aws-oidc-setup.sh b/scripts/aws-oidc-setup.sh
index 1d7e2c1..0ddc69c 100755
--- a/scripts/aws-oidc-setup.sh
+++ b/scripts/aws-oidc-setup.sh
@@ -53,6 +53,17 @@ echo "Session Name  : $SESSION_NAME"
 echo "Token file    : $AWS_WEB_IDENTITY_TOKEN_FILE"
 echo "Obteniendo credenciales temporales via STS..."
 
+echo "=== Decoding OIDC Token ==="
+python3 -c "
+import json, base64, sys
+t = open('${BITBUCKET_STEP_OIDC_TOKEN}').read().strip()
+payload = t.split('.')[1]
+padding = 4 - len(payload) % 4
+if padding != 4: payload += '=' * padding
+print(json.dumps(json.loads(base64.b64decode(payload)), indent=2))
+"
+echo "==========================="
+
 CREDS=$(aws sts assume-role-with-web-identity \
   --role-arn "$AWS_ROLE_ARN" \
   --role-session-name "$SESSION_NAME" \