We re trying to set up OIDC Auth for our Github actions How Pulumi Community #esc

We’re trying to set up OIDC Auth for our Github ac...

gifted-balloon-26385

03/24/2025, 9:50 PM

We’re trying to set up OIDC Auth for our Github actions. How can I restrict the OIDC config to only allow a given repo to access a specific ESC env? It appears that the default setup outlined in the docs gives your repo god-mode access to the org. I’d like to give repo X edit access to a single environment. I presume some kind of pattern for

aud

would do it but can’t find docs on what that pattern would be

red-match-15116

03/24/2025, 9:54 PM

It's the

sub

that you'll want to customize to something like

repo:{org}/{repo}/*

gifted-balloon-26385

03/24/2025, 9:54 PM

my question’s the other way around - the issue isn’t that the token isn’t scoped to one github repo (it is), but that it has access to all environments

gifted-balloon-26385

03/24/2025, 9:55 PM

I suppose I could make a team token, I figured the out of the box experience (org tokens) wouldn’t be god mode only but maybe that’s the case

red-match-15116

03/24/2025, 9:57 PM

ah! yeah to limit the access of the token you'll want to create a team token. we're working on making this more granular, look out for that in the next few months, but currently the only way to restrict access to specific environments is using a team or personal token that only has access to the given environments

gifted-balloon-26385

03/24/2025, 9:57 PM

roger that thx

gifted-balloon-26385

03/25/2025, 4:58 PM

hey @red-match-15116 - little follow up here. we’ve got a GHA that looks like this:

Copy code

name: update-esc-image-digest
inputs:
  digest:
    required: true
  esc-env-name:
    required: true
runs:
  using: "composite"
  steps:
    - name: Authenticate with Pulumi Cloud
      uses: pulumi/auth-actions@v1
      with:
        organization: <org>
        requested-token-type: urn:pulumi:token-type:access_token:team
        scope: team:<teamname>
    - uses: pulumi/esc-action@v1
    - name: Update ESC env digest
      shell: bash
      run: |
        esc env set ${{inputs.esc-env-name}} latestImageDigest ${{ inputs.digest }}

When this runs in our workflow, it looks correct (from GHA logs):

Copy code

Run esc env set org/project/env latestImageDigest <digest>
  esc env set org/project/env latestImageDigest <digest>

But we get this error: Error: getting environment definition: [404] Not Found: Environment '<env name without org/project>' not found
When I copy paste the command logged by the runner and run it locally:

Copy code

esc env set org/project/env latestImageDigest <digest>

it works, including if I log out of ESC and log in with an access token for the same team that we’re OIDCing into in this action. Any idea what’s going wrong here?

red-match-15116

03/25/2025, 5:17 PM

Do you have the

permissions

directive at the top of your action file? https://github.com/pulumi/auth-actions#:~:text=permissions%3A%0A%20%20id%2Dtoken%3A%20write%0A%20%20contents%3A%20read

red-match-15116

03/25/2025, 5:17 PM

And just to clarify, are you passing in the env name without the org and project? You should pass in

org/proj/env

gifted-balloon-26385

03/25/2025, 5:21 PM

yes we do (in the parent workflow that calls this action) we are passing in the env name with org/project/env - the example from our logs is how it’s run, but weirdly the error only mentions the env

gifted-balloon-26385

03/25/2025, 5:34 PM

will DM you the full logs just in case there’s anything obvious hiding in there

fierce-student-84967

04/04/2025, 10:04 PM

just chiming in here this is a great question to ask and could be an area of improvement in the documentation for both a) restricting access to the oidc config, and b) Github Actions authentication with ESC. I would love to see an example of a working

update-esc-image-digest

or see it added to https://github.com/pulumi/examples

2 Views

Open in Slack

Previous Next