OIDC auth to GCP - additonal claims / attribute mapping

Hi Folks!

Over the last couple of days I was trying to implement OIDC authentication for our CircleCI workloads.

After reading the documentation about the new OIDC token I realized the additional claims to be incompatible with googles attribute mapping representation. Using oidc.circleci.com/project-id as an assertion (assertion.oidc.circleci.com/project-id) results in an error complaining about the format not being valid.

I would like to know why the keys for the additional claims are formatted as they are and how it will be possible to map them accordingly in order to use them as a scope for the PrincipalSet in the Service Account Mappings.
If the additional claims would be keyed as project_id and context_ids everything would be fine :confused:

Best regards,

1 Like

Turns out I was not seeing the wood for the trees.
The required notation is assertion['oidc.circleci.com/project-id'] . This is working with gcloud as well as with Terraform.

Thanks to @aaronclark!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.