Pipeline scoped OIDC enhanced subject | Feature Requests | harness

Pipeline scoped OIDC enhanced subject

complete

Ginger Wildebeest

In order to adhere to the principal of least privilege, we would like to see an extension of the currently supported Enhanced Subject feature (as it pertains to OIDC authentication) to include the execution environment details, i.e the pipeline ID.
Today, project level resources look like:
account/<account_id>:org/{organization_id}:project/<project_id>
An extension of this would be:
account/<account_id>:org/{organization_id}:project/<project_id>:pipeline/<pipeline_id>
Alternatively, if extending custom parameters is more appropriate that is also fine as long as the goal of least privilege can be achieved.

August 19, 2024

Rohan Gupta

marked this post as

complete

FF: CDS_ENABLE_PIPELINE_SCOPED_OIDC_SUB
Delegate Version: 845xx
FOR GCP: https://developer.harness.io/docs/platform/connectors/cloud-providers/ref-cloud-providers/gcs-connector-settings-reference/#custom-parameters 
NOTE FOR AWS:
If you already use our AWS OIDC Auth option, you will need to update your policies after enabling the flag. This will now pass the pipeline id in the payload.
https://developer.harness.io/docs/platform/connectors/cloud-providers/ref-cloud-providers/aws-connector-settings-reference/#enhanced-subject

This post was marked as

in progress

Rohan Gupta

marked this post as

long-term

Rohan Gupta

This is on our roadmap for OIDC, adding the companies to the request.