diff --git a/infra/identity/README.md b/infra/identity/README.md index e370095..cad3fdb 100644 --- a/infra/identity/README.md +++ b/infra/identity/README.md @@ -18,7 +18,7 @@ It may manage: signatures (`sparkle-ed25519`) - an Authentik-backed WIF pool/provider for Forgejo runners - the runner service account and its narrow IAM binding for the Authentik WIF - client ID `google-wif.burrow.net`; human/group grants are opt-in + audience/client value `google-wif.burrow.net`; human/group grants are opt-in It must not manage: diff --git a/infra/identity/google.tf b/infra/identity/google.tf index 8f20ea0..a429401 100644 --- a/infra/identity/google.tf +++ b/infra/identity/google.tf @@ -142,7 +142,7 @@ resource "google_iam_workload_identity_pool_provider" "forgejo_runners" { "attribute.burrow_subject" = "assertion.sub" "attribute.burrow_username" = "assertion.preferred_username" "attribute.burrow_email" = "assertion.email" - "attribute.burrow_client_id" = "assertion.azp" + "attribute.burrow_client_id" = "assertion.aud" } attribute_condition = var.google_wif_attribute_condition diff --git a/infra/identity/variables.tf b/infra/identity/variables.tf index 53889b6..68fad72 100644 --- a/infra/identity/variables.tf +++ b/infra/identity/variables.tf @@ -183,7 +183,7 @@ variable "google_wif_runner_group" { } variable "google_wif_runner_client_id" { - description = "Mapped Authentik OIDC client ID allowed to assume the runner service account for machine-to-machine CI. Empty disables this grant." + description = "Mapped Authentik OIDC audience/client value allowed to assume the runner service account for machine-to-machine CI. Empty disables this grant." type = string default = "google-wif.burrow.net" }