When using OIDC in Harness, we need the ability to dynamically generate and retrieve JWT or access tokens for a configured OIDC account during pipeline execution. This functionality is essential for securely integrating with external systems such as GCP, where tokens are required for authentication in runtime steps.

Example Use Cases:

We need to pass the access token as an environment variable (CLOUDSDK_AUTH_ACCESS_TOKEN) to run GCP commands within pipeline steps.

Our Liquibase-based templates for managing GCP Cloud Spanner databases rely on Google Workload Identity Federation. This requires a JWT to be written to a file and referenced in a dynamically created JSON key file.

Current Workaround:

We’ve implemented a custom secret manager to request JWTs or access tokens based on the Harness context. However, this approach requires creating multiple connectors across every org and project to enforce correct claim usage (e.g., org/project identifiers), which is not scalable or maintainable.

Proposed Solution:

Introduce a built-in capability to generate JWTs or access tokens “on the fly” using a simple expression syntax. For example:

<+secrets.getJWT("the_identifier_of_an_oidc_based_connector")>

<+secrets.getGCPAccessToken("the_identifier_of_an_oidc_based_connector")>

These expressions should resolve tokens dynamically based on the current pipeline context.

Expected Claims in Token:

The generated token should include all enhanced claims based on the execution context. For example, during a CI stage, the generated token should include claims such as account_id, organization_id, project_id, pipeline_id, and connector_id, while other claims may be set to null. In contrast, during a deployment stage, the token should additionally populate claims like environment_id, service_id, and any other relevant entities. Essentially, the token should dynamically reflect all known entities from the enhanced OIDC claims stack already available within the Harness execution context, ensuring accurate and context-aware authentication.

Benefits:

Eliminates the need for redundant connector creation across orgs/projects.

Simplifies token management and improves security posture.

Enables scalable, context-aware authentication for external integrations.