![](/img/trans.png)
[英]AttributeError: 'tuple' object has no attribute 'authorize' - GCP Create Service Account with Workload Identity Federation
[英]Attribute mappings in configuring workload identity federation between GCP and GitHub
鑒於那里的示例仍然太少並且文檔相當晦澀,我正試圖圍繞這個新主題展開思考。
我正在嘗試對這個repo 進行逆向工程。
我想了解的是我們通知 GCP 具有特定屬性(即來自特定組織/存儲庫/分支等)的 OIDC 令牌僅被視為有效的方式。
我注意到 iam 策略定義如下:
data "google_iam_policy" "wli_user_ghshr" {
binding {
role = "roles/iam.workloadIdentityUser"
members = [
"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",
]
}
}
然后我看到身份池提供者也是這樣聲明的
resource "google_iam_workload_identity_pool_provider" "provider" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.gh_pool.workload_identity_pool_id
workload_identity_pool_provider_id = "gh-provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository+assertion.ref"
}
oidc {
allowed_audiences = ["google-wlif"]
issuer_uri = "https://token.actions.githubusercontent.com"
}
}
我的問題如下:
在 iam 政策聲明中執行此行
"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/attribute.full/${var.gh_repo}${var.gh_branch}",
必須與身份池提供者的attribute_mapping
映射字段中的屬性映射對齊,即
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository+assertion.ref"
}
即是attribute.full
"attribute.full" = "assertion.repository+assertion.ref"
在iam策略的principalSet
的最后一部分體現如下:
attribute.full/${var.gh_repo}${var.gh_branch}"
?
如果是這樣,在attribute_mapping
google.subject
字段中, assertion.sub
的作用是什么? assertion.sub
的值是否必須是特定的?
如果是這樣,這是在哪里說明/反映的?
在來自 repo 的特定示例中,僅使用了attribute.full
。 所以你可以使用:
attribute_mapping = {
"google.subject" = "assertion.repository+assertion.ref"
}
並將服務賬戶的 IAM 策略更改為向身份授予 Workload Identity User 權限:
principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/gh-pool/subject/${var.gh_repo}${var.gh_branch}
希望這會有所幫助,我還制作了第二個視頻來更詳細地解釋這一點: https ://youtu.be/fa9jHNaG4SA
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.