GitHub Action中id-token的权限范围是多少?
What is the permission scope of id-token in GitHub Action?
下例中的id-token是什么意思,有什么用?
jobs:
job_id:
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: 'Use gcloud CLI'
run: 'gcloud info'
示例来自setup-gcloud
我试着看看doc1 and doc2。但是,我找不到任何有用的信息。
可以给我一些吗hints/advice?
id-token与OpenID Connect结合使用。
需要将权限设置为 write 才能请求 OpenID Connect JWT 令牌,如 docs 中所述。
虽然您分享的示例来自 setup-gcloud,但您的工作流程中真正需要它的部分是操作 google-github-actions/auth. In there, you want to look at the sections on "Workload Identity Federation". More docs are also available on GCP directly: https://cloud.google.com/iam/docs/workload-identity-federation
下例中的id-token是什么意思,有什么用?
jobs:
job_id:
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: 'Use gcloud CLI'
run: 'gcloud info'
示例来自setup-gcloud
我试着看看doc1 and doc2。但是,我找不到任何有用的信息。
可以给我一些吗hints/advice?
id-token与OpenID Connect结合使用。
需要将权限设置为 write 才能请求 OpenID Connect JWT 令牌,如 docs 中所述。
虽然您分享的示例来自 setup-gcloud,但您的工作流程中真正需要它的部分是操作 google-github-actions/auth. In there, you want to look at the sections on "Workload Identity Federation". More docs are also available on GCP directly: https://cloud.google.com/iam/docs/workload-identity-federation