[英]Support for wildcards with Workload Identity Federation
I am currently testing this Github Action to authenticate with gcloud resources using Workload Identity Federation.我目前正在测试此Github Action以使用 Workload Identity Federation 对 gcloud 资源进行身份验证。
I created a Workload Identity Provider with a custom repository_ref
attribute mapping both the Github repository and branch from which the Github Action was used:我使用自定义
repository_ref
属性创建了一个 Workload Identity Provider,该属性映射了 Github 存储库和使用 Github Action 的分支:
gcloud iam workload-identity-pools providers create-oidc "my-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="my-pool" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.repository_owner=assertion.repository_owner,attribute.repository_ref=assertion.repository:assertion.ref" \
--attribute-condition="attribute.repository_owner=username" \
--issuer-uri="https://token.actions.githubusercontent.com"
When granting service account impersonation rights I can then use this command to ensure that The Github Action is triggered from the my_repo
repository's master
branch:在授予服务帐户模拟权限时,我可以使用此命令来确保从
my_repo
存储库的master
分支触发 Github 操作:
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_ref/username/my_repo:refs/heads/master"
While that works great to match an exact branch name, I would also like to use the same to grant authentication on all tags creations using a wildcard:虽然这非常适合匹配确切的分支名称,但我也想使用相同的方法来使用通配符对所有标签创建授予身份验证:
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_ref/username/my_repo:refs/tags/*"
It does not seem to work at the moment.目前它似乎不起作用。 Are there plans to support this?
有计划支持吗? And is there an alternative I could use at the moment?
有没有我现在可以使用的替代方案?
Thanks谢谢
AFAIK wildcards are not supported.不支持 AFAIK 通配符。
Try this instead:试试这个:
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/username/my_repo"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.