hi guys, can anyone help me with the way to configure attribute mapping? I want to validate repository and branch. I got the issue The caller does not have permission when I use attribute custom. If i use googe.subject it is pass. i follow this one
My provider:
gcloud iam workload-identity-pools providers create-oidc "my-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="my-pool" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.ref=assertion.ref" \
--issuer-uri="https://token.actions.githubusercontent.com"
My serviceAccount apply attribute custom:
gcloud iam service-accounts add-iam-policy-binding "[email protected]${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/attribute.repository/my-org/my-repo/attribute.ref/refs/heads/main"
My serviceAccount apply google subject:
gcloud iam service-accounts add-iam-policy-binding "[email protected]${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principal://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/subject/repo:my-org/my-repo:ref:refs/heads/main"
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|