Thrid party authentication vs approl for a cicd pipeline

Dear hashicorp community,

I am learning hashicorp vault and reading this tutorial it says third party authentication should be used instead of approle if available.

Now, I would like to authenticate my cicd pipeline through hashicorp vault and I want to use OIDC authentication. When I go to its documentation it says that a web browser will be open in order to authenticate, my cicd pipeline can’t authenticate in that way.

I would like to follow best practices and try OICD authentication method, but at the same way, I would like to use it in a “unattended way” for my cicd pipeline.

How could I do that?

thank you

JWT auth is similar but can be used for automated use cases.

GitLab has a pretty good write up on this: Using external secrets in CI | GitLab

AppRole and OIDC serve two different “primary” purposes, although they can be used for other as well.

AppRole is programmatic authentication for applications, tools, etc. Right now it is the right solution for 99.9% of the people out there. The option of 3rd party auth is there but I haven’t run across many that work as well.

OIDC is user authentication, like LDAP or AD auth to get users a token.