Include context name in the OpenID Connect token subject claim
Helio Machado
Including the CircleCI context names on the OpenID Connect subject standard claim would allow users to establish more granular trust conditions; i.e. only authorize jobs that use a specific context.
Currently, CircleCI OpenID Connect tokens include an additional claim (oidc.circleci.com/context-ids) with this information, but AWS only supports conditions based on standard claims.
GitHub Actions, for example, includes the name of the environment as part of the subject claim. On the other hand, GitLab CI/CD doesn't.
Example of the desired subject claim format:
org/<organization-id>/project/<project-id>/user/<user-id>/context/<context-name>
Not sure about the best way of specifying multiple contexts, though.
Related
Oran Wilder
Contexts are no longer a required aspect of using OIDC tokens. We recommend using the OIDC v2 token which has a richer data set available in the subject claim. https://circleci.com/docs/openid-connect-tokens/#google-cloud-platform
Helio Machado
Update: now GitHub allows users to customize the structure of the
sub
claim by means of an API call.Nathan Fish
Helio Machado We are looking at adding branch, tag, and repo_url in the available claims. Would this give you the necessary information you need to be more granular in your use case? A custom AWS policy is possible via additional setup in Cognito Identity pools. It's a bit more work and we don't have a tutorial on how to accomplish that yet.
Helio Machado
Nathan Fish, to my mind, being able to specify context[s] would be preferable over branches or tags, but it's a good start. I'll take a look to Cognito, but I'm not aware of any way of filtering federated identity requests by claims other than the standard ones.
Nathan Fish
We are looking into adding additional claims.