Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update oidc blogpost to use the new action #11858

Merged
merged 3 commits into from
May 20, 2024
Merged

Update oidc blogpost to use the new action #11858

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
daa12c0
Update oidc blogpost to use the new action
glena May 18, 2024
8b66d22
Add link to GKE
glena May 20, 2024
c45aa11
Update text
glena May 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 7 additions & 19 deletions content/blog/oidc-trust-relationships/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,11 @@ In this demo, we are going to use Github Actions to retrieve Pulumi credentials
3. Add a policy to allow OIDC and configure the sub and audience for your organization and repositories. In the demo, we are using:

<!-- markdownlint-disable no-bare-urls -->
* **Aud**: https://github.com/***organization***
* **Aud**: urn:pulumi:org:***organization***

* **Sub**: repo:***organization***/***repo***:*
<!-- markdownlint-enable no-bare-urls -->
4. Create a GitHub action. Here is a sample code. Make sure to substitute the `aud` claim with your organization's name in the `fetch pulumi token` step.
4. Create a GitHub action. Here is a sample code. Make sure to substitute your organization in the `pulumi/auth-actions` organization parameter.

<!-- markdownlint-disable code-block-style -->
```yaml
Expand All @@ -102,23 +102,10 @@ jobs:
- name: Install deps
run: yarn

- name: fetch gh token
run: |
OIDC_GH_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value')
echo "OIDC_GH_TOKEN=$OIDC_GH_TOKEN" >> $GITHUB_ENV

- name: fetch pulumi token
run: |
PULUMI_ACCESS_TOKEN=$(curl -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'audience=urn:pulumi:org:arun-test' \
-d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
-d 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
-d 'requested_token_type=urn:pulumi:token-type:access_token:organization' \
-d 'subject_token=${{ env.OIDC_GH_TOKEN }}' \
https://api.pulumi.com/api/oauth/token | jq -r '.access_token')
echo "::add-mask::$PULUMI_ACCESS_TOKEN"
echo "PULUMI_ACCESS_TOKEN=$PULUMI_ACCESS_TOKEN" >> $GITHUB_ENV
- uses: pulumi/auth-actions@v1
with:
organization: organization
requested-token-type: urn:pulumi:token-type:access_token:organization

- name: Login to Pulumi
run: pulumi login
Expand All @@ -137,3 +124,4 @@ jobs:

* [OIDC Trust Relationships overview](/docs/pulumi-cloud/oidc/client/)
* [Configuring OIDC for Github](/docs/pulumi-cloud/oidc/client/github/)
* [Configuring OpenID Connect for Google Kubernetes Engine](/docs/pulumi-cloud/oidc/client/kubernetes-gke/)
Loading