---
title: esc env provider aws-login oidc | CLI commands
url: /docs/esc/cli/commands/esc_env_provider_aws-login_oidc/
---

Add an AWS OIDC login provider to an environment

## Synopsis

[EXPERIMENTAL] Add an AWS OIDC login provider to an environment

Writes an `fn::open::aws-login` block with an `oidc` federation block at the
configured path under `values`. The OIDC IAM role and trust policy must be
provisioned separately (e.g. with Pulumi). If a block already exists at the
path it is replaced.

See https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/aws-login/
for the full provider reference.

```
esc env provider aws-login oidc [<org>/][/]<environment-name> <role-arn> <session-name> [flags]
```

## Options

```
      --create                          create the environment if it does not already exist
      --draft string[="new"]            set flag without a value (--draft) to create a draft rather than saving changes directly. --draft=<change-request-id> to update an existing change request.
      --duration string                 optional session duration, e.g. 1h
  -h, --help                            help for oidc
      --path values                     property path under values where the provider block is written (default "aws.login")
      --policy-arn stringArray          AWS managed-policy ARN to attach to the role session (repeatable)
      --subject-attribute stringArray   OIDC subject attribute to include in the session token (repeatable)
```

## Options inherited from parent commands

```
      --env string   The name of the environment to operate on.
```

## SEE ALSO

* [esc env provider aws-login](/docs/esc/cli/commands/esc_env_provider_aws-login/)	 - Add an AWS login provider to an environment