You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Github OIDC provider is shared provider which issues tokens for all repositories hosted in the instance. Such tokens are valid from perspective of federated infrastructure. Identities represented by these tokens can be granted access to the gcp resources. If permissions will be granted by mistake there is no configuration which will prevent accessing resources by unauthorised workload.
The workload identity federation provider has property attribute_condition which value is a CEL expression string. The expression is evaluated to decide if token should be accepted. This allow to conditionally control which tokens should be allowed to access resources.
Recently we set attribute condition for github.com provider limiting allowed tokens to the tokens issued for repositories owned by kyma-project organisation.
IaC config setting attribute_condition for provider.
Github OIDC provider is shared provider which issues tokens for all repositories hosted in the instance. Such tokens are valid from perspective of federated infrastructure. Identities represented by these tokens can be granted access to the gcp resources. If permissions will be granted by mistake there is no configuration which will prevent accessing resources by unauthorised workload.
The workload identity federation provider has property
attribute_conditionwhich value is a CEL expression string. The expression is evaluated to decide if token should be accepted. This allow to conditionally control which tokens should be allowed to access resources.Recently we set attribute condition for github.com provider limiting allowed tokens to the tokens issued for repositories owned by
kyma-projectorganisation.IaC config setting attribute_condition for provider.
test-infra/configs/terraform/environments/prod/gcp-workfload-identity-federation.tf
Line 13 in 116249d
Default value of attribute_condition CEL expression.
test-infra/configs/terraform/environments/prod/gcp-workfload-identity-federation-variables.tf
Line 33 in 116249d
The same configuration should be added for github.tools.sap provider.
The text was updated successfully, but these errors were encountered: