From 5431d4afbae57902a4d11302bc001454622a1640 Mon Sep 17 00:00:00 2001 From: Daniel Brown Date: Fri, 24 Mar 2023 15:24:13 +0100 Subject: [PATCH] Document admission for all repos of an owner (#279) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I really struggleded several days with this and thankfully i found https://github.com/google-github-actions/auth/issues/77#issuecomment-990371420 big thanks to @sethvargo ❤ as @dobromyslov already said, this should be documented so I went ahead and created added a paragrah for this use case --------- Signed-off-by: Daniel Brown --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index dbc6824d..b8ae3afa 100644 --- a/README.md +++ b/README.md @@ -607,6 +607,14 @@ Terraform module to automate your infrastructure provisioning. See [examples](ht --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}" ``` + + If you want to admit all repos of an owner (user or organization), map on `attribute.repository_owner`: + + ```sh + --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_owner/${OWNER}" + ``` + + For this to work, you need to make sure that `attribute.repository_owner` is mapped in your attribute mapping (see previous step). Note that `$WORKLOAD_IDENTITY_POOL_ID` should be the **full** Workload Identity Pool resource ID, like: