![](/img/trans.png)
[英]AttributeError: 'tuple' object has no attribute 'authorize' - GCP Create Service Account with Workload Identity Federation
[英]Attribute mappings in configuring workload identity federation between GCP and GitHub
鉴于那里的示例仍然太少并且文档相当晦涩,我正试图围绕这个新主题展开思考。
我正在尝试对这个repo 进行逆向工程。
我想了解的是我们通知 GCP 具有特定属性(即来自特定组织/存储库/分支等)的 OIDC 令牌仅被视为有效的方式。
我注意到 iam 策略定义如下:
data "google_iam_policy" "wli_user_ghshr" {
binding {
role = "roles/iam.workloadIdentityUser"
members = [
"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",
]
}
}
然后我看到身份池提供者也是这样声明的
resource "google_iam_workload_identity_pool_provider" "provider" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.gh_pool.workload_identity_pool_id
workload_identity_pool_provider_id = "gh-provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository+assertion.ref"
}
oidc {
allowed_audiences = ["google-wlif"]
issuer_uri = "https://token.actions.githubusercontent.com"
}
}
我的问题如下:
在 iam 政策声明中执行此行
"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",
必须与身份池提供者的attribute_mapping
映射字段中的属性映射对齐,即
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository+assertion.ref"
}
即是attribute.full
"attribute.full" = "assertion.repository+assertion.ref"
在iam策略的principalSet
的最后一部分体现如下:
attribute.full/${var.gh_repo}${var.gh_branch}"
?
如果是这样,在attribute_mapping
google.subject
字段中, assertion.sub
的作用是什么? assertion.sub
的值是否必须是特定的?
如果是这样,这是在哪里说明/反映的?
在来自 repo 的特定示例中,仅使用了attribute.full
。 所以你可以使用:
attribute_mapping = {
"google.subject" = "assertion.repository+assertion.ref"
}
并将服务账户的 IAM 策略更改为向身份授予 Workload Identity User 权限:
principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/subject/${var.gh_repo}${var.gh_branch}
希望这会有所帮助,我还制作了第二个视频来更详细地解释这一点: https ://youtu.be/fa9jHNaG4SA
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.