brash-gigabyte-81569
04/16/2024, 7:20 PMbrash-gigabyte-81569
04/16/2024, 7:44 PMred-match-15116
04/16/2024, 9:41 PMred-match-15116
04/16/2024, 9:43 PMplain-diamond-92898
04/16/2024, 9:56 PMpulumi.user.login
and/or pulumi.organization.login
subject attributes, you can ensure the subject claims are consistent across Pulumi IaC operations (pulumi up/refresh/destroy
) and esc commands (like esc open
, esc run
). Example subject claims based on your definition:
i. pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}
ii. pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}:pulumi.user.login:{USER_LOGIN}
b. If you use the currentEnvironment.name
and rootEnvironment.name
subject attributes with Pulumi IaC Operations, you will still have the subject as pulumi:environments:org:contoso:env:<yaml>
. However, for esc commands, you will have the subject as per your definition: (For example: pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}:currentEnvironment.name:<CURRENT_ENVIRONMENT_NAME>
)plain-diamond-92898
04/16/2024, 9:58 PMbrash-gigabyte-81569
04/16/2024, 9:58 PMred-match-15116
04/16/2024, 9:59 PMI think there is still a tricky issue if I understand correctly. As these are both user controlled fieldsThey are not, these values are provided by the environment.
brash-gigabyte-81569
04/16/2024, 10:00 PMbrash-gigabyte-81569
04/16/2024, 10:01 PMbrash-gigabyte-81569
04/16/2024, 10:03 PMplain-diamond-92898
04/16/2024, 10:05 PMred-match-15116
04/16/2024, 10:06 PMbrash-gigabyte-81569
04/16/2024, 10:07 PMbrash-gigabyte-81569
04/16/2024, 10:09 PMplain-diamond-92898
04/16/2024, 10:10 PMOk I think I have the same issue with trying to lock it down though since it will be <yaml> regardless of the the env it isYeah, if you are thinking of locking down using env name when using IaC, then it gets tricky.
brash-gigabyte-81569
04/16/2024, 10:10 PMbrash-gigabyte-81569
04/16/2024, 10:14 PMbrash-gigabyte-81569
04/16/2024, 10:16 PMred-match-15116
04/16/2024, 10:16 PMable-market-62580
04/17/2024, 12:11 PMcurrentEnvironment.name
and rootEnvironment.name
subject attributes which will resolve to a proper name when used from a stored environment:
• current env is the name of the environment using the provider
• root env is the name of the "rootest" environment (the one being imported from Iac)
Using the example of the issue, you can create a new prod_keys
environment
values:
azure:
login:
fn::open::azure-login:
subjectAttributes:
- currentEnvironment.name
clientId: your-client-id
tenantId: you-tenant-id
subscriptionId: your-subscription-id # without the `/subscriptions/` prefix
oidc: true
able-market-62580
04/17/2024, 12:13 PMimports:
- prod_keys
able-market-62580
04/17/2024, 12:16 PMpulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}:currentEnvironment.name:prod_keys
able-market-62580
04/17/2024, 12:18 PM