https://pulumi.com logo
Join Slack
Powered by
Hey, I'm having some trouble configuring OIDC auth...
# general
w
Hey, I'm having some trouble configuring OIDC authentication with Pulumi cloud from our Github Actions pipeline. I've followed the documentation and am on the step to configure the OIDC Authorization policy but I don't have the option to use organisation token types. Any ideas?
m
Do you still only have two options when you change "Decision" to "Allow"?
f
Is your organization subscribed to Teams? You need Enterprise or Business Critical to have Organization Tokens. You may still use a Team token; I'll see about updating the docs here. You'll also want to ensure you provided the correct 
requested-token-type
of 
team
when using it in the GH action
w
Hi @modern-zebra-45309, yeah sad panda I still only have 2 options when I change the decision to Allow Hi, @future-hairdresser-70637 I did also mean to ask about Team tokens, I believe we are on a team license but I can't create a Team because they're marked as an Enterprise feature
f
hang on a sec, let me do some internal checking here
šŸ™ 1
šŸ™Œ 1
Ok @wide-smartphone-71947 thanks for asking about this! We recently made some changes around Team and tokens and I wanted to confirm what the actual vs expected behavior is here. ā€¢ The Team edition recently gained Organization tokens ā€¢ For Team, the OIDC token type should have 
Organization
as a valid option. That will become available soon! ā€¢ Teams still only has one implicit team (that's the way I think about it - all members are part of a single "team") so not having access to Teams is correct
w
Thanks @future-hairdresser-70637 this is starting to make sense, so one last question. What's the name of the implicit team that my GHA can use when authenticating with Pulumi cloud?
f
hm it might work as your organization's name but I'd have to try it and that will soon not be necessary - I'd recommend using the org token as soon as you can instead
there wouldn't be a way to manage any sort of implicit Team token anyhow
w
I meant in the context of the OIDC authorization policy. the GHA would be creating short-lived team tokens for the duration of the pipeline. I'll leave it for now and wait for the org tokens to be made available, any chance you have an ETA on that change?
f
yeah, sorry, multitasking here. If you can I'd wait for you to be able to specify an Org token (not access token, apologies)
Ah, here we go: ā€¢ `requested_token_type`: ā—¦ Org token: 
urn:pulumi:token-type:access_token:organization
ā—¦ Team token (scope is required): 
urn:pulumi:token-type:access_token:team
ā—¦ Personal token (scope is required): 
urn:pulumi:token-type:access_token:personal
ā€¢ `scope`: a single scope will be supported initially and used to define when asking for a team or personal token, what team/user it should be assigned to. Format: 
team:{TEAM_NAME}
(for example: 
team:OPS_AUTOMATIONS
) or 
user:{USER_LOGIN}
(for example: 
user:djohn
).
The provider-specific OIDC instructions are very focused on Org tokens at the moment
I believe 
team:<your org name>
might work
w
I'll give it a test but I think we can wait until org tokens are available.
f
That would be ideal šŸ‘
w
Just for the docs:
Copy code
Error: Invalid response from token exchange 401: Unauthorized (access_denied: policy authorization error: Team tokens are not supported for non enterprise organizations)
Team tokens aren't supported for non enterprise users. I'll keep an eye out for the org tokens update. Thanks for your time today @future-hairdresser-70637
šŸ™ 1
f
Hey @wide-smartphone-71947 you should see 
team
token type now!
2 Views
Open in Slack
PreviousNext
Powered by