Skip to content

Fix gcp oidc audience #2198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 20, 2025
Merged

Fix gcp oidc audience #2198

merged 2 commits into from
Sep 20, 2025

Conversation

@seanyeh
Copy link
Contributor

@seanyeh seanyeh commented Sep 19, 2025
edited
Loading

We're not setting the audience correctly if escEnvOrg is set in config. they need to always match

@seanyeh seanyeh requested a review from a team September 19, 2025 16:40
@seanyeh seanyeh marked this pull request as ready for review September 19, 2025 16:41
@seanyeh seanyeh requested a review from jkodroff as a code owner September 19, 2025 16:41
jkodroff
jkodroff approved these changes Sep 19, 2025
View reviewed changes
Copy link
Member

@jkodroff jkodroff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch.

@nyobe
Copy link

nyobe commented Sep 19, 2025
edited
Loading

for my own education, in what cases would someone want to set escEnvOrg? won't ESC always set the audience to the pulumi org the esc environment resides in?

edit: ohh, escEnvOrg drives which org the environment is actually deployed into, derp.

@seanyeh
Copy link
Contributor Author

seanyeh commented Sep 19, 2025

@nyobe someone can set it if they want to create an environment in a specific org. but we're always setting audience to the default org (which could be different). this fix makes it so that it uses the same org for both

@seanyeh seanyeh enabled auto-merge September 19, 2025 16:47
joeduffy
joeduffy reviewed Sep 19, 2025
View reviewed changes
gcp-ts-oidc-provider-pulumi-cloud/index.ts Outdated

const oidcProvider = new gcp.iam.WorkloadIdentityPoolProvider(`identity-pool-provider`, {
workloadIdentityPoolId: identityPool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: `pulumi-cloud-${pulumi.getOrganization()}-oidc`,
Copy link
Member

@joeduffy joeduffy Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this also be escEnvOrg?

Copy link
Contributor Author

@seanyeh seanyeh Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, nice catch

@seanyeh seanyeh merged commit 82681f2 into master Sep 20, 2025
78 of 80 checks passed
@seanyeh seanyeh deleted the syeh/fix-audience-gcp-oidc branch September 20, 2025 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joeduffy joeduffy joeduffy left review comments

@tehsis tehsis tehsis approved these changes

@jkodroff jkodroff jkodroff approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@seanyeh @nyobe @tehsis @jkodroff @joeduffy