OIDC auth to GCP - additonal claims / attribute mapping

n3ph · April 26, 2022, 5:27pm

Hi Folks!

Over the last couple of days I was trying to implement OIDC authentication for our CircleCI workloads.

After reading the documentation about the new OIDC token I realized the additional claims to be incompatible with googles attribute mapping representation. Using oidc.circleci.com/project-id as an assertion (assertion.oidc.circleci.com/project-id) results in an error complaining about the format not being valid.

I would like to know why the keys for the additional claims are formatted as they are and how it will be possible to map them accordingly in order to use them as a scope for the PrincipalSet in the Service Account Mappings.
If the additional claims would be keyed as project_id and context_ids everything would be fine

Best regards,
n3ph

n3ph · April 27, 2022, 10:36am

Turns out I was not seeing the wood for the trees.
The required notation is assertion['oidc.circleci.com/project-id'] . This is working with gcloud as well as with Terraform.

Thanks to @aaronclark!

system · May 7, 2022, 10:36am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Gcloud oidc connect full example Integrations and Accounts	2	2164	May 13, 2022
Walk-through - OIDC to GCP Integrations and Accounts	0	2155	May 28, 2022
Walk-through - OIDC to AWS Integrations and Accounts	0	2240	May 28, 2022
CIRCLE_OIDC_TOKEN is sometimes missing with parallel builds Product Feedback	6	565	June 23, 2023
OIDC `.well-known/openid-configuration` incomplete Integrations and Accounts	1	1134	June 2, 2022

OIDC auth to GCP - additonal claims / attribute mapping

Related Topics