Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GitHub->GSA federation helper modules. #179

Merged
merged 1 commit into from
Mar 3, 2024
Merged

Add GitHub->GSA federation helper modules. #179

merged 1 commit into from
Mar 3, 2024

Conversation

mattmoor
Copy link
Member

@mattmoor mattmoor commented Mar 2, 2024

There are two key modules that work in concert:

  1. A provider module, which sets up attribute mappings in a way that we can access interesting claims and do some fuzzy matching,
  2. A service account module, which provisions Google Service Accounts that can be provisioned by providers created with the above.

These rules are intended to encapsulate some of the heroics that folks must currently do with CEL to try and get workflow-level authorization to assume particular GSA's, and give us a stronger "subject" for how these workflows appear as principals in audit logs.

@mattmoor mattmoor force-pushed the actions-gsa branch 2 times, most recently from 6e9abca to 81924dc Compare March 2, 2024 23:43
@mattmoor
Add GitHub->GSA federation helper modules.
bd17823 
There are two key modules that work in concert:
1. A provider module, which sets up attribute mappings in a way that we can access interesting claims and do some fuzzy matching,
2. A service account module, which provisions Google Service Accounts that can be provisioned by providers created with the above.

These rules are intended to encapsulate some of the heroics that folks must currently do with CEL to try and get workflow-level authorization to assume particular GSA's, and give us a stronger "subject" for how these workflows appear
as principals in audit logs.

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
@mattmoor mattmoor merged commit d40357c into chainguard-dev:main Mar 3, 2024
52 checks passed
@mattmoor mattmoor deleted the actions-gsa branch March 3, 2024 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tcnghia tcnghia tcnghia approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mattmoor @tcnghia