0

I am trying to set up a Workload Identity Federation auth in my GCP org.

I want to restrict the access by leveraging attribute_conditions in order for some repos and some branches to have access to the corresponding permissions to be provided by the GCP service accounts. Assuming I want to use 2 repos/branches, what is the syntactically correct way (in terms of CEL) to do this?

 attribute_condition                = "(assertion.sub=='repo:MyOrg/repo1:ref:refs/heads/main|repo:MyOrg/repo2:ref:refs/heads/master')"

The above example which i have tried does not seem to work.

pkaramol
  • 16,451
  • 43
  • 149
  • 324

1 Answers1

0

The issue is in the way the expected values are chained. I had a similar use case to support multiple repositories and the following format worked.

(assertion.repository=='MyOrg/repo1' && assertion.ref=='refs/heads/main') || (assertion.repository=='MyOrg/repo2' && assertion.ref=='refs/heads/master')

Make sure the attribute mappings are defined for the fields used ( assertion.repository and assertion.ref)

svs
  • 23
  • 5