You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/modules/permissions-authentication/pages/openid-connect-tokens.adoc
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -174,7 +174,7 @@ You can take advantage of the format of the claims in CircleCI's <<format-of-the
174
174
[#limit-role-access-based-on-project]
175
175
==== Limit role access based on project
176
176
177
-
If certain projects should only be able to access certain AWS resources, you can restrict your IAM role so that only CircleCI jobs in a specific project can assume that role.
177
+
If a projects should only be able to access certain AWS resources, you can restrict your IAM role so that only CircleCI jobs in that project can assume that role.
178
178
179
179
To do this, edit your IAM role's trust policy so that only an OIDC token from your chosen project can assume that role. The trust policy determines under what conditions the role can be assumed.
180
180
@@ -220,10 +220,10 @@ You can also restrict access to specific branches. The following is an example o
220
220
[#google-cloud-platform]
221
221
== Google Cloud Platform
222
222
223
-
The following instructions cover the following:
223
+
The following instructions cover:
224
224
225
-
* A one-time configuration of your GCP settings to trust CircleCI's OIDC tokens
226
-
* Running a job that uses the OIDC token to interact with GCP
225
+
* A one-time configuration of your GCP settings to trust CircleCI's OIDC tokens.
226
+
* Running a job that uses the OIDC token to interact with GCP.
227
227
228
228
TIP: The Google Cloud CLI reads your configuration file, which contains necessary information instructing Google Cloud to authenticate. You can read about external identity providers on https://cloud.google.com/iam/docs/configuring-workload-identity-federation#oidc[Google Cloud's docs].
229
229
@@ -250,7 +250,7 @@ The default OpenID Connect ID tokens issued by CircleCI have a fixed audience (s
250
250
251
251
GCP Workload Identity Federation is a feature that allows you to use CircleCI's OIDC tokens to authenticate with GCP. Using Workload Identity Federation allows applications outside Google Cloud to access Google Cloud resources without the need for storing service account credentials. Instead, you can use Identity and Access Management (IAM) to grant access to specific Google Cloud resources.
252
252
253
-
In the GCP web UI, follow these steps to add CircleCI as an external identity provider:
253
+
In the GCP web UI, follow the steps to add CircleCI as an external identity provider:
254
254
255
255
. Navigate to the **IAM & Admin panel**.
256
256
. On the side panel, navigate to **Workload Identity Federation**.
0 commit comments