Use client-only WIF runner grants
This commit is contained in:
parent
e7c0442a12
commit
51f34c9a64
3 changed files with 5 additions and 6 deletions
|
|
@ -17,9 +17,8 @@ It may manage:
|
|||
- a non-exportable software KMS signing key for Sparkle Ed25519 appcast
|
||||
signatures (`sparkle-ed25519`)
|
||||
- an Authentik-backed WIF pool/provider for Forgejo runners
|
||||
- the runner service account and its narrow IAM bindings for the
|
||||
`burrow-automation` group and the Authentik WIF client ID
|
||||
`google-wif.burrow.net`
|
||||
- the runner service account and its narrow IAM binding for the Authentik WIF
|
||||
client ID `google-wif.burrow.net`; human/group grants are opt-in
|
||||
|
||||
It must not manage:
|
||||
|
||||
|
|
|
|||
|
|
@ -11,5 +11,5 @@ manage_google_runner_service_account = false
|
|||
|
||||
google_wif_issuer_uri = "https://auth.burrow.net/application/o/google-cloud/"
|
||||
google_wif_allowed_audiences = ["google-wif.burrow.net"]
|
||||
google_wif_runner_group = "burrow-automation"
|
||||
google_wif_runner_group = ""
|
||||
google_wif_runner_client_id = "google-wif.burrow.net"
|
||||
|
|
|
|||
|
|
@ -177,9 +177,9 @@ variable "google_wif_allowed_audiences" {
|
|||
}
|
||||
|
||||
variable "google_wif_runner_group" {
|
||||
description = "Mapped Authentik group allowed to assume the runner service account. Empty allows the whole pool."
|
||||
description = "Mapped Authentik group allowed to assume the runner service account. Leave empty for machine-to-machine client credentials."
|
||||
type = string
|
||||
default = "burrow-automation"
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "google_wif_runner_client_id" {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue