0

Configuring auth to Google Cloud from GitHub Actions includes security considerations that make the seemingly sensible recommendation to bind using GitHub's immutable|unique IDs (owner|repo) rather than names.

Even though Google recommends IDs, its documentation refers to names:

gcloud iam workload-identity-pools providers create-oidc "my-repo" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github" \
--display-name="My GitHub repo Provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="assertion.repository_owner == '${OWNER}'" \
--issuer-uri="https://token.actions.githubusercontent.com"

I understand how to revise the --attribute-condition to use the IDs but, how do I change the --attribute-mapping to incorporate them?

Naively revising --attribute-mapping values to e.g. attribute.repository_id=assertion.repository_id to match --attribute-condition values assertion.repository_owner_id=="{OWNER_ID}" doesn't work.

I know that the ID claims are included thanks to the GitHub OIDC Debugger:

{
  ...
  "repository": "{OWNER}/{REPO}",
  "repository_id": "{REPO_ID}",
  "repository_owner": "{OWNER}",
  "repository_owner_id": "{OWNER_ID}",
  ...
}
Improve this question
1
  • Looks like you need GITHUB_REPOSITORY_OWNER and GITHUB_REPOSITORY_OWNER_ID env vars for assertion.repository_owner and assertion.repository_owner_id. See the default envrironment variables for the complete list. Commented Sep 21, 2024 at 5:38

2 Answers 2

Reset to default
2

The solution appears to be:

  1. Leaving the --attribute-mapping either unchanged (must contain repository and repository_owner) or adding (repository_id and repository_owner_id)
  2. Using the IDs in --attribute-condition (per the security considerations) and optionally/redundantly (!?) including/retaining the name predicates.

Minimally:

gcloud iam workload-identity-pools providers create-oidc "my-repo" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github" \
--display-name="My GitHub repo Provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="assertion.repository_owner_id == '${OWNER_ID}' && assertion.repository_id == '${REPO_ID}'" \
--issuer-uri="https://token.actions.githubusercontent.com"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In addition to Azeem’s comment, you also need to make sure that single quotes are preserved. I believe you had them in the original code block.

Improve this answer

1 Comment

Thanks for the suggestion. The CEL appears to accept double- (") or single-quotes (') without issue.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.