2

I have created an Oauth Server and defined custom scope and claims in the configuration. On the access token (JWT), I see scope is being defined as

"scp": [
    "default_google_scope"
]

I am trying to set an integration between OIDC and GCP workload identity configuration using tutorial :

I am not following what should be the format for attribute mapping and conditions?

Workoad identity configs

Robert G
  • 1,583
  • 3
  • 13
PiaklA
  • 495
  • 2
  • 7
  • 21
  • Can you share what setup and expected outcome for this? This docs might help you regarding [Attribute mappings](https://cloud.google.com/iam/docs/workload-identity-federation#mapping) – JaysonM Dec 21 '21 at 07:01
  • Do you want a mapping or a condition? As mapping you must say to Google Cloud where to find the email in the source token. Then you can accept token under conditions. – guillaume blaquiere Dec 21 '21 at 09:28
  • Adding more context on the setup : What I am trying to do : Trying to access a file on GCS bucket using a python application. As part of the Setup : 1- I have OAuth server in Okta with Claim and Scope Define 2- I have Workload Identity Fed setup with Okta as OIDC provider ( from step 1) 3- Have setup right IAM Policy, Service accounts etc as specified in the original post I understand Google token and Okta tokens need to be checked for validity and Attribute mapping and conditions can help to do the same. I am struggling to follow the documentation and apply it to my use case – PiaklA Dec 23 '21 at 15:17
  • @guillaumeblaquiere Part I am struggling with is the syntax that I should use for mapping and conditions. This is more of a POC so even if I assume there is no condition, what will be my mapping then based on? my claims and scope? and if my access token spits out the token with scope as "default_gcp_scope" what should be my mapping condition. – PiaklA Dec 23 '21 at 15:27
  • You haven't scope because you haven't access token exchanged, it's only based on Identity Token (JWT). It's a JSON, and you need, at least, to map the token email principal with the google.subject. You can add other mapping if relevant. The condition are the same: you can have custom claim in your JWT, the condition are here to check if the custom claim (or not custom in fact) are OK or KO. – guillaume blaquiere Dec 23 '21 at 15:57

0 Answers0