Additional metadata in context OIDC tokens
complete
C
Calvin Huang
It would be nice to have additional metadata, such as branches or workflow names in the context token. Our application for this is we have separate workflows for different packages in a monorepo, and we would like to be able to gate access to different sets of cloud permissions based on the branch or workflow that is being executed.
Oran Wilder
complete
Several requests have been addressed with our latest updates. The subject claim has been updated in our v2 token with enhanced vcs data for more granular permissions. We've also added a separate claim to both v1 and v2 tokens indicating SSH rerun or not. https://circleci.com/docs/openid-connect-tokens/#format-of-the-openid-connect-id-token
Nathan Fish
in progress
[
[[Unknown]]
It would also be nice to know via a claim in the OIDC token whether the current build is running with SSH enabled.
I would like to be able to grant sensitive permissions to write certain artifacts (e.g., container images) based on the commit ID, but this also relies on my ability to trust that the code running in the CI job is actually from the commit ID that it's purporting to be.
If my build is running a "trusted" commit but someone has used "Rerun Job with SSH" to inject malicious code, I don't want that job to have any permissions in my artifact store.
Related issue to restrict SSH to admin only: https://circleci.canny.io/cloud-feature-requests/p/limit-ssh-access-to-admins
[
[[Unknown]]
The commit SHA would be very useful for me as well.
P
Pietro Albini
Thanks Nathan Fish! Any chance the commit SHA will also be included in the metadata? For example, that'd allow to create an AWS policy to only allow uploading to s3://my-bucket/${sha}, preventing a build from overriding another build's artifacts.
Nathan Fish
planned
Branch, Tag, Author, and Repo URL will be added soon.
N
Nick Gates
The respective VCS project would also be very useful to have.
One alternative to embedding all of these as additional claims would be to grant minimal read-only perms for the project API when using the OIDC token.
Glen Mailer
I would really like to get access to at least
branch
, so that when setting up the trust relationships at the AWS end, I can limit credentials to only the branches where I've got branch protection enabled.This would give me a lot more flexibility in applying controls than the existing contexts system.
P
Pietro Albini
It would also be extremely useful for us to include the commit SHA in the JWT token, as that'd allow our tooling to better understand what's being built.
Nathan Fish
under review
We are evaluating adding additional claims to the JWT token.
Load More
→