Docs: Subject exceeds the 127 byte limit mitigation strategy #423
Comments
|
Hi there @reakaleek 👋! Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps. |
|
Sure, but that same value ( |
|
@sethvargo thank you for the feedback. Would you mind explaining why a reduced subject granularity is not advised? Context: Due to the quirks of AWS OIDC authentication, we had to modify the sub claim for the GH repository to include more attributes. So, do you think it's okay to shorten the I want to understand the implications of this and if I should reconsider my approach. |
|
The subject ( |
TL;DR
The troubleshooting guide suggests that you can only use shorter repo or branch names to overcome the 127-byte limit issue.
But you can also adjust the attribute mapping and shorten the subject.
Detailed design
You can overcome the 127 byte limit by shortening the
google.subjectin the attribute mapping.gcloud iam workload-identity-pools providers create-oidc "my-repo" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github" \ --display-name="My GitHub repo Provider" \ - --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ + --attribute-mapping="google.subject=assertion.sub.split(':')[1],attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ --attribute-condition="assertion.repository_owner == '${GITHUB_ORG}'" \ --issuer-uri="https://token.actions.githubusercontent.com"Hence, in cases where the sub claim is
repo:<orgName/repoName>:pull_requestit will be change to<orgName/repoName>, which will shorten thegoogle.subjectto some degree.Update documentation accordingly.
Additional information
No response
The text was updated successfully, but these errors were encountered: