Skip to content

Commit 3dcc7d4

Browse files
carlospolopcarlospolop
committed
a
1 parent 9e0ea07 commit 3dcc7d4

File tree

1 file changed

+12
-8
lines changed

1 file changed

+12
-8
lines changed

src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -86,13 +86,17 @@ poolId=$(gcloud iam workload-identity-pools describe $poolName \
8686
--location global \
8787
--format='get(name)')
8888

89-
gcloud iam workload-identity-pools providers create-oidc $poolName \
90-
--project="${projectId}" \
89+
gcloud iam workload-identity-pools providers create-oidc "$poolName" \
90+
--project="$projectId" \
9191
--location="global" \
9292
--workload-identity-pool="$poolName" \
93-
--display-name="Demo provider" \
94-
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
95-
--issuer-uri="https://token.actions.githubusercontent.com"
93+
--display-name="CTF provider" \
94+
--issuer-uri="https://token.actions.githubusercontent.com" \
95+
--attribute-mapping="google.subject=assertion.sub,\
96+
attribute.actor=assertion.actor,\
97+
attribute.repository=assertion.repository,\
98+
attribute.aud=assertion.aud" \
99+
--attribute-condition="assertion.repository_owner!=''"
96100

97101
providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
98102
--location global \
@@ -136,9 +140,9 @@ jobs:
136140
uses: "google-github-actions/[email protected]"
137141
with:
138142
create_credentials_file: "true"
139-
workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used
140-
service_account: "${saId}" # instead of the alphanumeric project ID. ex:
141-
activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
143+
workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used instead of the alphanumeric project ID. ex: projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
144+
service_account: "${saId}" # <sa-name>@<proj-id>.iam.gserviceaccount.com
145+
activate_credentials_file: true
142146
- id: "gcloud"
143147
name: "gcloud"
144148
run: |-

0 commit comments

Comments
 (0)