Map WIF runner client from audience
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m1s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Build Site / Next.js Build (push) Failing after 5s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 14:15:59 -07:00
parent 5276b57c4d
commit 65809da33a
3 changed files with 3 additions and 3 deletions

View file

@ -18,7 +18,7 @@ It may manage:
signatures (`sparkle-ed25519`)
- an Authentik-backed WIF pool/provider for Forgejo runners
- the runner service account and its narrow IAM binding for the Authentik WIF
client ID `google-wif.burrow.net`; human/group grants are opt-in
audience/client value `google-wif.burrow.net`; human/group grants are opt-in
It must not manage:

View file

@ -142,7 +142,7 @@ resource "google_iam_workload_identity_pool_provider" "forgejo_runners" {
"attribute.burrow_subject" = "assertion.sub"
"attribute.burrow_username" = "assertion.preferred_username"
"attribute.burrow_email" = "assertion.email"
"attribute.burrow_client_id" = "assertion.azp"
"attribute.burrow_client_id" = "assertion.aud"
}
attribute_condition = var.google_wif_attribute_condition

View file

@ -183,7 +183,7 @@ variable "google_wif_runner_group" {
}
variable "google_wif_runner_client_id" {
description = "Mapped Authentik OIDC client ID allowed to assume the runner service account for machine-to-machine CI. Empty disables this grant."
description = "Mapped Authentik OIDC audience/client value allowed to assume the runner service account for machine-to-machine CI. Empty disables this grant."
type = string
default = "google-wif.burrow.net"
}