2023-11-02: OIDC / OpenID authentication failing due to `AssumeRoleWithWebIdentity` errors
Executive Summary
Between 02-11-2023 06:38 UTC and 03-11-2023 13:05 UTC on two separate periods (02-11-2023 between 06:40 UTC and 09:00 UTC and on 03-11-2023 between 12:14 UTC and 13:05 UTC) a number of OpenID authentication failure due to AssumeRoleWithWebIdentity errors were observed.
The errors reported on 02-11-2023 between 06:40 UTC and 09:00 UTC self resolved and the root cause was not identified.
The errors reported on 03-11-2023 between 12:14 UTC and 13:05 UTC were caused by caching issues that prevented OpenID Configuration URL from returning the expected JSON and instead it was returning a CS system page from cache. A separate issue was opened to avoid confusion, the issue was similar to an ongoing cloudflare cache poisoning issue.
Customer Impact
So far we have 5 ZenDesk tickets that reported a AssumeRoleWithWebIdentity error today. Query link: https://gitlab.zendesk.com/agent/search/1?copy&type=ticket&q=AssumeRoleWithWebIdentity%20order_by%3Acreated_at%20sort%3Adesc
Current Status
For affected users, please attempt a re-try of your jobs, and do let us know if this continues to occur.
More information will be added as we investigate the issue. For customers believed to be affected by this incident, please subscribe to this issue or monitor our status page for further updates.
📚 References and helpful links
Recent Events (available internally only):
- Feature Flag Log - Chatops to toggle Feature Flags Documentation
- Infrastructure Configurations
- GCP Events (e.g. host failure)
Deployment Guidance
- Deployments Log | Gitlab.com Latest Updates
- Reach out to Release Managers for S1/S2 incidents to discuss Rollbacks, Hot Patching or speeding up deployments. | Rollback Runbook | Hot Patch Runbook
Use the following links to create related issues to this incident if additional work needs to be completed after it is resolved:
- Corrective action ❙ Infradev
- Incident Review ❙ Infra investigation followup
- Confidential Support contact ❙ QA investigation
Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in our handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.