Summary

The error message "An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience" is encountered during pipeline builds when attempting to deploy using Bitbucket OpenID Connect. This error indicates a problem with the audience claim in the identity token used to assume a role in AWS. The token's Audience does not match the expected value for the IAM role being attempted to assume.

Cause

The root cause of the "InvalidIdentityToken" error is an inconsistency in the audience claim within the identity token used during the deployment process. The audience claim specifies the intended recipient of the token and must match the client ID issued by the identity provider for your application. Suppose the audience claim in the identity token does not align with the expected client ID for the IAM role in AWS. In that case, the AssumeRoleWithWebIdentity operation will fail with the "Incorrect token audience" error message.

Solution

To fix the issue, follow these steps:

1. Review the Audience displayed as an identity provider on OpenID Connect in Bitbucket.
2. Ensure that the Audience value is identical to your app's client ID issued by the Identity provider.
3. If the Audience value is incorrect, update it by copying the correct OpenID Connect value from Bitbucket to the Audience field.

Additionally, revisit the documentation on Deploy on AWS using Bitbucket Pipelines OpenID Connect to ensure no steps are missing.