TechQA.

User or condition in common expression language for workload identity federation condition

417 views Asked by At

I am trying to set up a Workload Identity Federation auth in my GCP org.

I want to restrict the access by leveraging attribute_conditions in order for some repos and some branches to have access to the corresponding permissions to be provided by the GCP service accounts. Assuming I want to use 2 repos/branches, what is the syntactically correct way (in terms of CEL) to do this?

 attribute_condition                = "(assertion.sub=='repo:MyOrg/repo1:ref:refs/heads/main|repo:MyOrg/repo2:ref:refs/heads/master')"

The above example which i have tried does not seem to work.

google-cloud-platform workload-identity common-expression-language
Original Q&A
1

There are 1 answers

0
svs On

The issue is in the way the expected values are chained. I had a similar use case to support multiple repositories and the following format worked.

(assertion.repository=='MyOrg/repo1' && assertion.ref=='refs/heads/main') || (assertion.repository=='MyOrg/repo2' && assertion.ref=='refs/heads/master')

Make sure the attribute mappings are defined for the fields used ( assertion.repository and assertion.ref)

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in WORKLOAD-IDENTITY

Related Questions in COMMON-EXPRESSION-LANGUAGE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions