google-cloud-platformgithub-actionsgoogle-cloud-iam

How to use GitHub immutable values (IDs) in Attribute Conditions?

Configuring auth to Google Cloud from GitHub Actions includes security considerations that make the seemingly sensible recommendation to bind using GitHub's immutable|unique IDs (owner|repo) rather than names.

Even though Google recommends IDs, its documentation refers to names:

gcloud iam workload-identity-pools providers create-oidc "my-repo" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github" \
--display-name="My GitHub repo Provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="assertion.repository_owner == '${OWNER}'" \
--issuer-uri="https://token.actions.githubusercontent.com"

I understand how to revise the --attribute-condition to use the IDs but, how do I change the --attribute-mapping to incorporate them?

Naively revising --attribute-mapping values to e.g. attribute.repository_id=assertion.repository_id to match --attribute-condition values assertion.repository_owner_id=="{OWNER_ID}" doesn't work.

I know that the ID claims are included thanks to the GitHub OIDC Debugger:

{
  ...
  "repository": "{OWNER}/{REPO}",
  "repository_id": "{REPO_ID}",
  "repository_owner": "{OWNER}",
  "repository_owner_id": "{OWNER_ID}",
  ...
}
Solution

  • The solution appears to be:

    1. Leaving the --attribute-mapping either unchanged (must contain repository and repository_owner) or adding (repository_id and repository_owner_id)
    2. Using the IDs in --attribute-condition (per the security considerations) and optionally/redundantly (!?) including/retaining the name predicates.

    Minimally:

    gcloud iam workload-identity-pools providers create-oidc "my-repo" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github" \
--display-name="My GitHub repo Provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="assertion.repository_owner_id == '${OWNER_ID}' && assertion.repository_id == '${REPO_ID}'" \
--issuer-uri="https://token.actions.githubusercontent.com"