Include how to interoperate with the iam.workloadIdentityPoolProviders org policy constraint

This issue has been tracked since 2023-01-23.

TL;DR

https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers discusses how to restrict which workload identity pool providers may be permitted, but doesn't go into a detailed example for when it's GitHub.

Detailed design

No response

Additional information

Please enhance https://github.com/google-github-actions/auth#setting-up-workload-identity-federation to also discuss what needs to be set for the iam.workloadIdentityPoolProviders organization policy constraint.

github-actions[bot] wrote this answer on 2023-01-25

Hi there @andrewpollock 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

andrewpollock wrote this answer on 2023-01-25

@ianlewis FYI

ianlewis wrote this answer on 2023-01-25

I assume this is something like

gcloud resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
     https://token.actions.githubusercontent.com --organization=ORGANIZATION_NUMBER

sethvargo wrote this answer on 2023-01-25

#258 as a little blurb. We don't intend to be a replacement for the Google Cloud documentation though, and this is a somewhat advanced use case. I would recommend filing an internal docs bug as well.

andrewpollock wrote this answer on 2023-01-25

Cheers, I've ping you on the corresponding internal docs bug as an FYI.

Your Name

Your Comment

More Details About Repo

Owner Name	google-github-actions
Repo Name	auth
Full Name	google-github-actions/auth
Language	TypeScript
Created Date	2021-09-16
Updated Date	2023-03-24
Star Count	573
Watcher Count	16
Fork Count	116
Issue Count	3

YOU MAY BE INTERESTED

Issue Title	Created Date	Updated Date