使用 Workload Identity Federation 支持通配符

Question

I am currently testing this Github Action to authenticate with gcloud resources using Workload Identity Federation.

I created a Workload Identity Provider with a custom repository_ref attribute mapping both the Github repository and branch from which the Github Action was used:

gcloud iam workload-identity-pools providers create-oidc "my-provider" \
  --project="${PROJECT_ID}" \
  --location="global" \
  --workload-identity-pool="my-pool" \
  --display-name="Demo provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.repository_owner=assertion.repository_owner,attribute.repository_ref=assertion.repository:assertion.ref" \
  --attribute-condition="attribute.repository_owner=username" \
  --issuer-uri="https://token.actions.githubusercontent.com"

When granting service account impersonation rights I can then use this command to ensure that The Github Action is triggered from the my_repo repository's master branch:

gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_ref/username/my_repo:refs/heads/master"

While that works great to match an exact branch name, I would also like to use the same to grant authentication on all tags creations using a wildcard:

gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_ref/username/my_repo:refs/tags/*"

It does not seem to work at the moment. Are there plans to support this? And is there an alternative I could use at the moment?

Thanks

Answer 1

AFAIK wildcards are not supported.

Try this instead:

--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/username/my_repo"