diff --git a/message b/message
new file mode 100644
index 0000000..d2dddfc
--- /dev/null
+++ b/message
@@ -0,0 +1,9 @@
+fix(terraform): corregir OIDC audience para Bitbucket Cloud
+
+Bitbucket Cloud genera tokens JWT con audience fijo:
+ari:cloud:bitbucket::workspace/465016f8-d6fb-4ecb-ba6f-2248e938942b
+
+El archivo oidc-bitbucket.tf solo aceptaba sts.amazonaws.com,
+lo que causaba InvalidIdentityToken en cada terraform apply.
+Ahora el OIDC provider y el rol IAM aceptan ambos audiences
+mediante ForAnyValue:StringEquals.
diff --git a/terraform/oidc-bitbucket.tf b/terraform/oidc-bitbucket.tf
index f54b2bb..3fd335a 100644
--- a/terraform/oidc-bitbucket.tf
+++ b/terraform/oidc-bitbucket.tf
@@ -14,6 +14,9 @@ locals {
   bitbucket_workspace = "ccsoft1"
   bitbucket_oidc_url  = "https://api.bitbucket.org/2.0/workspaces/${local.bitbucket_workspace}/pipelines-config/identity/oidc"
 
+  # UUID del workspace de Bitbucket Cloud para el audience fijo del OIDC.
+  bitbucket_workspace_uuid = "465016f8-d6fb-4ecb-ba6f-2248e938942b"
+
   # ------------------------------------------------------------------
   # REPO_UUID de proyectosacc
   # ------------------------------------------------------------------
@@ -40,12 +43,12 @@ data "tls_certificate" "bitbucket_oidc" {
 resource "aws_iam_openid_connect_provider" "bitbucket" {
   url = local.bitbucket_oidc_url
 
-  # Usamos "sts.amazonaws.com" como audience para simplificar la
-  # configuración y evitar depender del Workspace UUID de Bitbucket.
-  # Esto requiere configurar "audiences: [sts.amazonaws.com]" en
-  # bitbucket-pipelines.yml.
+  # Bitbucket Cloud usa "ari:cloud:bitbucket::workspace/{uuid}" como audience
+  # fijo en los tokens JWT. Mantenemos "sts.amazonaws.com" por compatibilidad
+  # con pipelines que aún lo configuren manualmente.
   client_id_list = [
-    "sts.amazonaws.com"
+    "sts.amazonaws.com",
+    "ari:cloud:bitbucket::workspace/${local.bitbucket_workspace_uuid}"
   ]
 
   thumbprint_list = [
@@ -76,8 +79,11 @@ resource "aws_iam_role" "bitbucket_ci_cd" {
         }
         Action = "sts:AssumeRoleWithWebIdentity"
         Condition = {
-          StringEquals = {
-            "${trimprefix(local.bitbucket_oidc_url, "https://")}:aud" = "sts.amazonaws.com"
+          ForAnyValue:StringEquals = {
+            "${trimprefix(local.bitbucket_oidc_url, "https://")}:aud" = [
+              "sts.amazonaws.com",
+              "ari:cloud:bitbucket::workspace/${local.bitbucket_workspace_uuid}"
+            ]
           }
           StringLike = {
             "${trimprefix(local.bitbucket_oidc_url, "https://")}:sub" = "${local.bitbucket_repo_uuid}:*"