Merge ec7d015 into 0ac580c

docs/security/open-id-connect-aws.md

@@ -9,7 +9,7 @@ Description: Use OpenID Connect within your pipelines to authenticate with Amazo
 Open ID Connect allows your pipelines to access resources in Amazon Web Services (AWS) without
 the need to store long-lived access credentials in secrets.
 
-In this guide, you will learn how to configure Google Cloud Workload Identity Provider to trust
+In this guide, you will learn how to configure AWS IAM Provider to trust
 Semaphore OIDC as a federated identity and then to access cloud resources from your Semaphore
 Pipelines.
 
@@ -24,23 +24,26 @@ Configure AWS to support OpenID Connect by creating an IAM OIDC identity provide
 and an IAM role that trusts the provider.
 See [Creating OpenID Connect (OIDC) identity providers][aws-docs].
 
-- For the provider, set the full URL to your organization. Example: `https://acme.semaphoreci.com`.
-- For the audience, set the full URL to your organization. Example: `https://acme.semaphoreci.com`.`
+- For the provider, set the full URL to your organization. Example: `https://{org-name}.semaphoreci.com`.
+- For the audience, set the full URL to your organization. Example: `https://{org-name}.semaphoreci.com`.`
 
 ### Step 2 - Configuring a role and trust policy
 
 Configuring a role and trust policy that you will use to access resources on AWS.
 Follow the documentation on AWS about [Creating a role for web identity or OIDC][create-role].
 
-Edit the trust policy to restrict which projects and which branches are able to access
-the resources with this role:
+Modify the trust policy below to specify which projects and branches can access the resources assigned to this role. Use the `StringEquals` condition to define a specific project and branch, while the `StringLike` condition allows for the inclusion of multiple branches:
 
 ``` json
 "Condition": {
   "StringEquals": {
-    "acme.semaphoreci.com:aud": "https://acme.semaphoreci.com/",
-    "acme.semaphoreci.com:sub": "org:acme:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/main"
-  }
+    "{org-name}.semaphoreci.com:aud": "https://{org-name}.semaphoreci.com",
+    "{org-name}.semaphoreci.com:sub": "org:{org-name}:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/main"
+  },
+  "StringLike": {
+    "{org-name}.semaphoreci.com:sub":
+    "org:{org-name}:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/*",
+},
 }
 ```
 

docs/security/open-id-connect-vault.md

@@ -27,7 +27,7 @@ vault auth enable jwt
 ```
 
 ``` bash
-export ORG_URL="" # the full url to your organization, exaple: https://acme.semaphoreci.com
+export ORG_URL="" # the full url to your organization, exaple: https://{org-name}.semaphoreci.com
 
 vault write auth/jwt/config bound_issuer="$ORG_URL" oidc_discovery_url="$ORG_URL"
 ```

docs/security/open-id-connect.md

@@ -36,15 +36,15 @@ The injected environment variable is a [JWT][jwt] token signed by Semaphore and
 following claims:
 
 #### iss
-The issuer of the token. The full URL of the organization. Example: `https://test-orgnization.semaphoreci.com`.
+The issuer of the token. The full URL of the organization. Example: `https://{org-name}.semaphoreci.com`.
 
 #### aud
-The intended audience of the token. The full URL of the organization. Example: `https://test-orgnization.semaphoreci.com`.
+The intended audience of the token. The full URL of the organization. Example: `https://{org-name}.semaphoreci.com`.
 
 #### sub
 The subject of the token. A combination of org, project, repository, and git reference for which this token was issued.
 Template: `org:{org-name}:project:{project-id}:repo:{repo-name}:ref_type:{branch or pr or tag}:ref:{git_reference}`.
-Example: `org:acme:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/main`.
+Example: `org:{org-name}:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/main`.
 
 #### exp
 The UNIX timestamp when the token expires. Example: `1660317851`.
@@ -89,7 +89,7 @@ A token with the above claims is exported into jobs as the  `SEMAPHORE_OIDC_TOKE
 which can then be presented to the cloud provider as an authorization token.
 
 If the cloud provider is configured to accept OIDC tokens, it will receive the token, verify its
-signature by connecting back to `{org}.semaphoreci.com/.well-known/jwts`, and if the token is
+signature by connecting back to `{org-name}.semaphoreci.com/.well-known/jwts`, and if the token is
 valid, it will respond with a short-lived token for this specific job that can be used to
 fetch and modify cloud resources.