当前位置: 文江博客话题详情

属性映射在配置GCP和GITHUB之间的工作负载身份联合会时

发布于 2025-02-10 08:22:55 字数 2471 浏览 0 评论 0原文

我试图围绕这个新主题缠住我的头,因为那里的示例仍然很少,并且文档相当晦涩。

我正在尝试逆向工程 this repo。

我想了解的是,我们通知GCP的方式认为,具有特定属性的OIDC令牌(即来自特定组织/repos/分支等)仅被接受为有效。

我注意到IAM策略为定义如下:

data "google_iam_policy" "wli_user_ghshr" {
  binding {
    role = "roles/iam.workloadIdentityUser"

    members = [
      "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",
    ]
  }
}

然后我看到身份池提供商也是声明像这样,

resource "google_iam_workload_identity_pool_provider" "provider" {
  provider                           = google-beta
  project                            = var.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.gh_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "gh-provider"
  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
    "attribute.full" = "assertion.repository+assertion.ref"
  }
  oidc {
    allowed_audiences = ["google-wlif"]
    issuer_uri        = "https://token.actions.githubusercontent.com"
  }
}

我的问题是:

IAM策略声明中的这一行是否

"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",

必须与身份池提供商的atibute_mapping中的属性映射对齐字段,即

  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
    "attribute.full" = "assertion.repository+assertion.ref"
  }

属性

"attribute.full" = "assertion.repository+assertion.ref"


attribute.full/${var.gh_repo}${var.gh_branch}"

IE

如果是这样,在attribute_mapping google.subject字段中,assertion.sub.sub的作用是什么? ostertion.sub的价值是否必须是特定的东西?

如果是这样,这是在哪里说明 /反映的?

原文

I am trying to wrap my head around this new topic, given that there are still too few examples out there and the documentation is rather obscure.

I am trying to reverse engineer this repo.

What I want to understand is the way we inform GCP that OIDC tokens having specific attributes (i.e coming from specific orgs/repos/branches etc) are only accepted as valid.

I notice that the iam policy is defined as follows:

data "google_iam_policy" "wli_user_ghshr" {
  binding {
    role = "roles/iam.workloadIdentityUser"

    members = [
      "principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",
    ]
  }
}

then I see that the identity pool provider is also declared like this

resource "google_iam_workload_identity_pool_provider" "provider" {
  provider                           = google-beta
  project                            = var.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.gh_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "gh-provider"
  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
    "attribute.full" = "assertion.repository+assertion.ref"
  }
  oidc {
    allowed_audiences = ["google-wlif"]
    issuer_uri        = "https://token.actions.githubusercontent.com"
  }
}

My question is the following:

does this line in the iam policy declaration

"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",

must be aligned with the attribute mapping in the identity pool provider's attribute_mapping field, i.e

  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
    "attribute.full" = "assertion.repository+assertion.ref"
  }

i.e. is the attribute.full

"attribute.full" = "assertion.repository+assertion.ref"

is reflected in the last part of the principalSet of the iam policy as follows:

attribute.full/${var.gh_repo}${var.gh_branch}"

?

If so, in the attribute_mapping google.subject field, what's the role of assertion.sub? Does the value of the assertion.sub has to be something specific?

If so, where is this stated / reflected?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

做个ˇ局外人 2025-02-17 08:22:55

在“仅仓库”中的特定示例中,使用了attribute.full。因此,您可以只使用:

  attribute_mapping                  = {
    "google.subject" = "assertion.repository+assertion.ref"
  }

并将服务帐户的IAM策略更改为授予Workload Identity用户权限到身份:

principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/subject/${var.gh_repo}${var.gh_branch}

希望这有帮助,我还拥有第二个视频,可以在更多详细信息中解释这一点: https://youtu.be/fa9jhnag4sa

In the specific example from the repo only attribute.full is used. So you could just use:

  attribute_mapping                  = {
    "google.subject" = "assertion.repository+assertion.ref"
  }

and change the IAM policy for the service account to to grant Workload Identity User permissions to the identity:

principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/subject/${var.gh_repo}${var.gh_branch}

Hope this helps, I have also mode a second video to explain this in greater details: https://youtu.be/fa9jHNaG4SA

回复 原文
~没有更多了~

关于作者

Smile简单爱

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

李珊平

文章 0 评论 0

Quxin

文章 0 评论 0

范无咎

文章 0 评论 0

github_ZOJ2N8YxBm

文章 0 评论 0

若言

文章 0 评论 0

南…巷孤猫

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文