diff --git a/content/docs/pulumi-cloud/access-management/oidc/_index.md b/content/docs/pulumi-cloud/access-management/oidc/_index.md deleted file mode 100644 index a6d21c58f554..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/_index.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title_tag: OpenID Connect -meta_desc: This page provides an overview of how Pulumi can integrate with OIDC providers -title: OpenID -h1: OpenID Connect Provider integration -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: OpenID - parent: pulumi-cloud-access-management - weight: 4 - identifier: pulumi-cloud-access-management-oidc -aliases: -- /docs/pulumi-cloud/oidc/ ---- - -Pulumi supports OpenID Connect (OIDC) integration across various services by leveraging signed, short-lived tokens and eliminating the necessity for hardcoded cloud provider credentials and facilitates the exchange of these tokens for short-term credentials. - -## Overview - -There are two ways Pulumi can integrate using OpenID Connect. Pulumi can operate as an [OIDC provider](/docs/pulumi-cloud/oidc/provider/) issuing signed, short-lived tokens that can be exchanged by short-term credentials from your cloud provider; or as an [OIDC client](/docs/pulumi-cloud/oidc/client/) accepting OIDC tokens issued by a trusted OIDC provider to be exchanged for short-lived Pulumi access tokens. - -## Solving the Secret Zero problem - -When teams adopt Pulumi, securely managing authentication is the cornerstone of a strong security posture. One approach is to integrate Pulumi with a cloud or CI/CD provider using a long-term access token, but this introduces the "secret zero" problem and potential security risks. These credentials are often set once and forgotten, making them vulnerable if rotation is needed or if they become compromised. - -The best practice for securing Pulumi and provider authentication is to use OIDC, which replaces static credentials with short-term digitally signed identity tokens issued by the cloud provider. This approach eliminates the need for long-lived secrets by establishing a trust relationship using public-key cryptography. - -An OIDC token represents an application's or workload's identity in a cloud environment—often called a workload identity. It includes claims such as the application's name, which a service provider can use to grant access to resources based on best-practice security policies. diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/aws.md b/content/docs/pulumi-cloud/access-management/oidc/provider/aws.md deleted file mode 100644 index f32c0189294e..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/aws.md +++ /dev/null @@ -1,207 +0,0 @@ ---- -title_tag: Configure OpenID Connect for AWS | OIDC -meta_desc: This page describes how to configure OIDC token exchange in AWS for use with Pulumi Cloud -title: AWS -h1: Configuring OpenID Connect for AWS -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: AWS - parent: pulumi-cloud-access-management-oidc-provider - weight: 1 - identifier: pulumi-cloud-access-management-oidc-provider-aws -aliases: -- /docs/guides/oidc/provider/aws -- /docs/intro/deployments/oidc/provider/aws/ -- /docs/pulumi-cloud/deployments/oidc/provider/aws/ -- /docs/pulumi-cloud/oidc/provider/aws/ -- /docs/pulumi-cloud/oidc/aws/ ---- - -This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with AWS. OIDC in AWS uses a web identity provider to assume an IAM role. Access to the IAM role is authorized using a trust policy that validates the contents of the OIDC token issued by the Pulumi Cloud. - -## Create the identity provider - -1. In the navigation pane of the [IAM console](https://console.aws.amazon.com/iam/), choose **Identity providers**, and then choose **Add provider**. - {{< video title="Starting the Create Identity Provider wizard" src="https://www.pulumi.com/uploads/create-idp-start.mp4" autoplay="true" loop="true" >}} -2. In the **Provider type** section, click the radio button next to **OpenID Connect**. -3. For the **Provider URL**, provide the following URL: `https://api.pulumi.com/oidc` -4. For the **Audience** field, the value will differ between Pulumi deployments and ESC. For Deployments the value is only the name of your Pulumi organization. For ESC the value is the name of your Pulumi organization prefixed with `aws:` (e.g. `aws:{org}`). Then click **Add provider**. - {{< notes type="info" >}} - For environments in the `default` project, the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments. - {{< /notes >}} - -## Configure the IAM role and trust policy - -Once you have created the identity provider, you will see a notification at the top of your screen prompting you to assign an IAM role. - -1. Click the **Assign role** button. -2. Select the **Create a new role** option, then click **Next**. - {{< video title="Prompt for assigning IAM role" src="https://www.pulumi.com/uploads/assign-iam-role-prompt.mp4" autoplay="true" loop="true" >}} -3. On the IAM **Create role** page, ensure the **Web identity** radio button is selected. -4. In the **Web identity** section: - * Select `api.pulumi.com/oidc` under **Identity provider**. - * Select the name of your Pulumi organization (if using ESC, prefixed with `aws:`) under **Audience**. Then click **Next**. - {{< video title="Create IAM role wizard" src="https://www.pulumi.com/uploads/create-role-wizard.mp4" autoplay="true" loop="true" >}} -5. On the **Add permissions** page, select the permissions that you want to grant to your Pulumi service. Then click **Next**. - {{< notes type="info" >}} - For setting up an AWS Pulumi insights account, you can use the role `ReadOnlyAccess` managed by [aws](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html). - {{< /notes >}} - {{< video title="Adding S3 permissions to IAM role" src="https://www.pulumi.com/uploads/create-role-add-perms.mp4" autoplay="true" loop="true" >}} -6. Provide a name and optional description for the IAM role. Then click **Create role**. - {{< video title="Adding name and description to role then creating it" src="https://www.pulumi.com/uploads/create-role.mp4" autoplay="true" loop="true" >}} - -Make a note of the IAM role's ARN; it will be necessary to enable OIDC for your service. - -For more granular access control, edit the trust policy of your IAM role with [Token claims](/docs/pulumi-cloud/access-management/oidc/provider/#custom-claims) for each service. The `sub` claim can be customized as shown below. - -### Pulumi Deployments - -In the following example, the role may only be assumed by stacks within the `Core` project of the `contoso` organization: - -```json -"Condition": { - "StringEquals": { - "api.pulumi.com/oidc:aud": "contoso" - }, - "StringLike": { - "api.pulumi.com/oidc:sub": "pulumi:deploy:org:contoso:project:Core:*" - } -} -``` - -### Pulumi ESC - -Consider the following ESC definition for `project/development` environment opened by user `personA`: - -```yaml -values: - aws: - login: - fn::open::aws-login: - oidc: - ... - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login -``` - -The OIDC subject claim for this environment would be `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:personA`. The role may only be assumed by `project/development` environment and user `personA` within the `contoso` organization: - -```json -"Condition": { - "StringEquals": { - "api.pulumi.com/oidc:aud": "aws:contoso", - "api.pulumi.com/oidc:sub": "pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:personA" - } -} -``` - -The subject always contains the prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and every key configured will be appended to this prefix. The list of all possible options for `subjectAttributes` are: - -* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other imported environments -* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and `subjectAttributes` are defined -* `pulumi.user.login`: the login identifier of the user opening the environment -* `pulumi.organization.login`: the login identifier of the organization - -When importing multiple environments into Pulumi IaC Stack Config, each environment is resolved separately. For example, if you import multiple environments into your Pulumi Stack with `rootEnvironment.name` attribute defined in all of them, then each `rootEnvironment.name` will resolve to the environment name where it is defined. - -The default format of the subject claim when `subjectAttributes` are not used is `pulumi:environments:org::env:/` - -{{< notes type="warning" >}} - -For environments within the legacy `default` project, the project will **not** be present in the subject to preserve backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is `pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom subject attribute it will resolve to only the environment name (e.g. `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). Due to this it is recommended to move your environments out of the `default` project for best security practices. - -{{< /notes >}} - -{{< notes type="info" >}} - -If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the environment will be `pulumi:environments:org:contoso:env:`. The literal value of `` need to be used and will be the same for all environments. Hence, for best security practices we recommend using `subjectAttributes`. If you want to set environment level or even granular permissions in your trust policy, then we recommend using `subjectAttributes` property. - -{{< /notes >}} - -## Configure OIDC via the Pulumi console - -### Pulumi Deployments - -{{% notes "info" %}} -In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). -{{% /notes %}} - -1. Navigate to your stack in the Pulumi Console. -2. Open the stack's "Settings" tab. -3. Choose the "Deploy" panel. -4. Under the "OpenID Connect" header, toggle "Enable AWS Integration". -5. Enter the ARN of the IAM role to created above in the "Role ARN" field. -6. Enter a name for the assumed role session in the "Session Name" field. -7. If you would like to use additional policies to further constrain the session's capabilities, enter the policies' ARNs separated by commas in the "Policy ARNs" field. -8. If you would like to constrain the duration of the assumed role session, enter a duration in the form "XhYmZs" in the "Session Duration" field. -9. Click the "Save deployment configuration" button. - -With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. - -### Pulumi ESC - -To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure that you have the correct organization selected in the left-hand navigation menu. Then: - -1. Click the **Environments** link. -2. Click the **Create environment** button. -3. Provide a project to create your new environment in and a name for your environment. -4. Click the **Create environment** button. - {{< video title="Creating a new Pulumi ESC environment" src="https://www.pulumi.com/uploads/create-new-environment.mp4" autoplay="true" loop="true" >}} -5. You will be presented with a split-pane editor. Delete the default placeholder content in the editor and replace it with the following code: - - ```yaml - values: - aws: - login: - fn::open::aws-login: - oidc: - duration: 1h - roleArn: - sessionName: pulumi-environments-session - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login - environmentVariables: - AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId} - AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey} - AWS_SESSION_TOKEN: ${aws.login.sessionToken} - ``` - -6. Replace `` with the value from the previous steps. -7. Scroll to the bottom of the page and click **Save**. - -{{< video title="Adding configuration to Pulumi ESC environment" src="https://www.pulumi.com/uploads/add-environment-config.mp4" autoplay="true" loop="true" >}} - -You can validate that your configuration is working by running either of the following: - -* `esc open //` command of the [ESC CLI](/docs/esc-cli/) -* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) - -Make sure to replace ``, ``, and `` with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following: - -```bash -{ - "aws": { - "login": { - "accessKeyId": "ASIA....", - "secretAccessKey": "rtBS....", - "sessionToken": "Fwo...." - } - }, - "environmentVariables": { - "AWS_ACCESS_KEY_ID": "ASIA....", - "AWS_SECRET_ACCESS_KEY": "rtBS....", - "AWS_SESSION_TOKEN": "Fwo...." - } -} -``` - -To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the [relevant Pulumi documentation](/docs/esc/integrations/) - -## Automate OIDC configuration - -Our [Examples](https://github.com/pulumi/examples) repository provides a wide variety of automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and AWS, take a look at the following examples to help you get started: - -* [Configure OIDC for ESC in Pulumi Python](https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider-pulumi-cloud) diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/azure.md b/content/docs/pulumi-cloud/access-management/oidc/provider/azure.md deleted file mode 100644 index cfa40de0c2d7..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/azure.md +++ /dev/null @@ -1,226 +0,0 @@ ---- -title_tag: Configure OpenID Connect for Azure | OIDC -meta_desc: This page describes how to configure OIDC token exchange in Azure for use with Pulumi -title: Azure -h1: Configuring OpenID Connect for Azure -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: Azure - parent: pulumi-cloud-access-management-oidc-provider - weight: 2 - identifier: pulumi-cloud-access-management-oidc-provider-azure -aliases: -- /docs/guides/oidc/provider/azure -- /docs/intro/deployments/oidc/provider/azure/ -- /docs/pulumi-cloud/deployments/oidc/provider/azure/ -- /docs/pulumi-cloud/oidc/provider/azure/ -- /docs/pulumi-cloud/oidc/azure/ ---- - -This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Azure. OIDC in Azure uses [workload identity federation](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation) to access Azure resources via a Microsoft Entra App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by the Pulumi Cloud. - -## Prerequisites - -* You must have access in the Azure Portal to create and configure Microsoft Entra App registrations. - -{{< notes type="warning" >}} -Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the [official Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). -{{< /notes >}} - -## Create a Microsoft Entra application - -In the navigation pane of the [Microsoft Entra console](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview): - -1. Select **App registrations** and then click **New registration**. -2. Provide a name for your application (ex: `pulumi-esc-oidc-app`). -3. In the **Supported account types** section, select **Accounts in this organizational directory only**. -4. Click **Register**. - -After the Microsoft Entra application has been created, take note of the following details: - -* Subscription ID -* Application (client) ID -* Directory (tenant) ID - -These values will be necessary when enabling OIDC for your service. - -## Add federated credentials - -Once you have created your new application registration, you will be redirected to the application's **Overview** page. In the left navigation menu: - -1. Navigate to the **Certificates & secrets** pane. -2. Select the **Federated credentials** tab. -3. Click on the **Add credential** button. This will start the "Add a credential" wizard. -4. In the wizard, select **Other Issuer** as the **Federated credential scenario**. -5. Fill in the remaining form fields as follows: - * **Issuer:** `https://api.pulumi.com/oidc` - * **Subject Identifier:** must be a valid subject claim (see examples at the end of this section). - * **Name:** An arbitrary name for the credential, e.g. "pulumi-oidc-credentials" - * **Audience:** This is different between Pulumi deployments and ESC. For Deployments this is only the name of your Pulumi organization. For ESC this is the name of your Pulumi organization prefixed with `azure:` (e.g. `azure:{org}`). -{{< notes type="info" >}} -For environments in the `default` project the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments. -{{< /notes >}} - -### Subject claim examples - -Depending on the Pulumi service you are configuring OIDC for, the value of the subject claim will be different. You can learn more about configuring OIDC with Pulumi by referring to the [relevant documentation](/docs/pulumi-cloud/oidc/). - -The below sections show examples that correspond to each OIDC-supported service. - -#### Pulumi Deployments - -Because Azure's federated credentials require that the subject identifier exactly matches an OIDC token's subject claim, this process must be repeated for each permutation of the subject claim that is possible for a stack. For example, in order to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: - -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` - -#### Pulumi ESC - -The below is an example of a valid subject claim for the `project/development` environment of the `contoso` organization: - -* `pulumi:environments:org:contoso:env:project/development` - -The default format of the subject claim when `subjectAttributes` are not used is `pulumi:environments:org::env:/` - -{{< notes type="warning" >}} - -For environments within the legacy `default` project, the project will **not** be present in the subject to preserve backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is `pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom subject attribute it will resolve to only the environment name (e.g. `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). Due to this it is recommended to move your environments out of the `default` project for best security practices. - -{{< /notes >}} - -{{< notes type="warning" >}} - -If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the ESC environment will not work at this time. There is a [known issue](https://github.com/pulumi/pulumi/issues/14509) with the subject identifier's value sent to Azure from Pulumi. - -Use 'subjectAttributes' to customize the subject identifier to work with Pulumi IaC. Alternatively, you can use this syntax: `pulumi:environments:org:contoso:env:` when configuring the subject claim in your cloud provider account. Make sure to replace `contoso` with the name of your Pulumi organization and use the literal value of `` as shown. - -{{< /notes >}} - -##### Subject customization - -It is possible to customize the OIDC token subject claim by setting configuring the `subjectAttributes` setting. It expects an array of keys to include in it: - -* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other imported environments -* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and `subjectAttributes` are defined -* `pulumi.user.login`: the login identifier of the user opening the environment -* `pulumi.organization.login`: the login identifier of the organization - -The subject always contains the following prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and every key configured will be appended to this prefix. For example, consider the following environment: - -```yaml -values: - azure: - login: - fn::open::azure-login: - ... - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login -``` - -The subject will be `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:userLogin`. Note how the keys and values are appended along with the prefix. - -## Create a service principal - -To provide Pulumi services the ability to deploy, manage, and interact with Azure resources, you need to associate your Microsoft Entra application with your Subscription or Resource Group. - -1. Navigate to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV1) page of the Azure portal. -2. Select the subscription to create the service principal in. - * If you want to limit access to a specific resource group, go to the [Resource Groups](https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups) page instead and select the desired resource group. -3. In the left navigation menu, select **Access control (IAM)**. -4. Click **Add** > **Add role assignment** to be taken to the **Add role assignment** wizard. -5. Under the **Job function roles** tab, select the desired role from the list, then click **Next**. -6. Select **User, group, or service principal**, then click **Select members** -7. Enter the name of the application you created in a previous step, select it from the list, then click **Select**. -8. Click **Next** and then **Review + assign**. - -## Configure OIDC in the Pulumi console - -### Pulumi Deployments - -{{% notes "info" %}} -In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). -{{% /notes %}} - -1. Navigate to your stack in the [Pulumi Console](https://app.pulumi.com/). -2. Open the stack's **Settings** tab. -3. Choose the **Deploy** panel. -4. Under the **OpenID Connect** header, toggle **Enable Azure Integration**. -5. Enter the client and tenant IDs for the app registration created above in the **Client ID** and **Tenant ID** fields, respectively. -6. Enter the ID of the subscription you want to use in the **Subscription ID** field. -7. Click the **Save deployment configuration** button. - -With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Azure credentials using the specified AAD App prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `ARM_CLIENT_ID`, `ARM_TENANT_ID`, and `ARM_SUBSCRIPTION_ID` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. - -### Pulumi ESC - -To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure that you have the correct organization selected in the left-hand navigation menu. Then: - -1. Click the **Environments** link. -2. Click the **Create environment** button. -3. Provide a project to create your new environment in and a name for your environment. - * This should be the same as the identifier provided in the subject claim of your federated credentials. -4. Click the **Create environment** button. - {{< video title="Creating a new Pulumi ESC environment" src="https://www.pulumi.com/uploads/create-new-environment.mp4" autoplay="true" loop="true" >}} -5. You will be presented with a split-pane view. Delete the default placeholder content in the editor and replace it with the following code: - - ```yaml - values: - azure: - login: - fn::open::azure-login: - clientId: - tenantId: - subscriptionId: /subscriptions/ - oidc: true - environmentVariables: - ARM_USE_OIDC: 'true' - ARM_CLIENT_ID: ${azure.login.clientId} - ARM_TENANT_ID: ${azure.login.tenantId} - ARM_OIDC_TOKEN: ${azure.login.oidc.token} - ARM_SUBSCRIPTION_ID: ${azure.login.subscriptionId} - ``` - -6. Replace ``, ``, and `` with the values from the previous steps. -7. Scroll to the bottom of the page and click **Save**. - -You can validate that your configuration is working by running either of the following: - -* `esc open //` command of the [ESC CLI](/docs/esc-cli/) -* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) - -Make sure to replace ``, ``, and `` with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following: - -```bash -{ - "azure": { - "login": { - "clientId": "b537....", - "oidc": { - "token": "eyJh...." - }, - "subscriptionId": "0282....", - "tenantId": "7061...." - } - }, - "environmentVariables": { - "ARM_CLIENT_ID": "b537....", - "ARM_OIDC_TOKEN": "eyJh....", - "ARM_SUBSCRIPTION_ID": "0282....", - "ARM_TENANT_ID": "7061....", - "ARM_USE_OIDC": "true" - } -} -``` - -To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the [relevant Pulumi documentation](/docs/esc/integrations/) - -## Automate OIDC configuration - -Our [Examples](https://github.com/pulumi/examples) repository provides a wide variety of automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and Azure, take a look at the following examples to help you get started: - -* [Configure OIDC for ESC in Pulumi Python](https://github.com/pulumi/examples/tree/master/azure-py-oidc-provider-pulumi-cloud) -* [Configure OIDC for Deployments in Pulumi TypeScript](https://github.com/pulumi/workshops/blob/main/az-pulumi-deployments/az-oidc-setup/index.ts) diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/gcp.md b/content/docs/pulumi-cloud/access-management/oidc/provider/gcp.md deleted file mode 100644 index 06b7f898598a..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/gcp.md +++ /dev/null @@ -1,221 +0,0 @@ ---- -title_tag: Configure OpenID Connect for Google Cloud | OIDC -meta_desc: This page describes how to configure OIDC token exchange in Google Cloud for use with Pulumi -title: Google Cloud -h1: Configuring OpenID Connect for Google Cloud -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: Google Cloud - parent: pulumi-cloud-access-management-oidc-provider - weight: 3 - identifier: pulumi-cloud-access-management-oidc-provider-gcp -aliases: -- /docs/guides/oidc/provider/gcp -- /docs/intro/deployments/oidc/provider/gcp/ -- /docs/pulumi-cloud/deployments/oidc/provider/gcp/ -- /docs/pulumi-cloud/oidc/provider/gcp/ -- /docs/pulumi-cloud/oidc/gcp/ ---- - -This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Google Cloud. OIDC in Google Cloud uses [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) to allow access to resources. Access to the resources is authorized using attribute conditions that validate the contents of the OIDC token issued by the Pulumi Cloud. - -## Prerequisites - -* You must create a [Google Cloud project with the required APIs enabled](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure) - -{{< notes type="warning" >}} -Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official [Google Cloud documentation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers). -{{< /notes >}} - -## Create a Workload Identity Pool and Provider - -1. Navigate to the [Workload Identity Pools page](https://console.cloud.google.com/projectselector2/iam-admin/workload-identity-pools) in the Google Cloud console. -2. Select your Google Cloud project. -3. Click the **Create Pool** button. -4. Provide a name and an optional description. then click **Continue** -5. In the **Add a provider to pool** dropdown, select **OpenID Connect (OIDC)**. -6. Provide a name for the provider. -7. In the **Issuer** field, enter `https://api.pulumi.com/oidc`. -8. In the **Audiences** section, select the **Allowed audiences** radio button. The value for this field is different between pulumi deployments and ESC. For Deployments enter just the name of your Pulumi organization. For ESC enter the name of your Pulumi organization prefixed with `gcp:` (e.g. `gcp:{org}`). Then click **Continue**. - {{< notes type="info" >}} - For environments in the `default` project the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments. - {{< /notes >}} -9. In the **Configure provider attributes** section, provide the value of `assertion.sub` in the **OIDC 1** field. Then click **Save**. - -## Configure a Service Account - -Once you have created your workload identity pool and provider, you will be directed to the pool details page. If you already have an appropriate service account created, skip ahead to the steps found in the [Grant access to the service account](/docs/pulumi-cloud/oidc/provider/gcp/#grant-access-to-the-service-account) section. Otherwise, continue through the steps below to create a new one. - -### Create a new service account - -1. Navigate to the [Service Accounts](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts) page. -2. Select your Google Cloud project. -3. Click "Create Service Account". -4. Enter a value for the **Service account name** field. Then click **Create And Continue** - * The **Service account ID** field will auto-populate based on this value. -5. In the **Grant this service account access to project** section, select the role(s) that provides the relevant access to your Pulumi service. Then click **Continue**. -6. Leave the values in the next section blank and click **Done**. - -### Grant access to the service account - -1. In your workload identity pool's details page, click the **Grant Access** button. -2. In the **Select service account** dropdown, select the desired service account to associate with the pool. -3. Under the **Select principals** section, click the **Only identities matching the filter** radio button. -4. In the **Attribute name** dropdown, select **Subject**. -5. In the **Attribute value** field, provide a valid subject claim (see examples at the end of this section). Then click **Save**. - -Make a note of the project ID, workload identity pool ID, provider ID, and service account email address from the previous steps. These will be necessary to enable OIDC for your service. - -### Subject claim examples - -Depending on the Pulumi service you are configuring OIDC for, the value of the subject claim will be different. You can learn more about configuring OIDC with Pulumi by referring to the [relevant documentation](/docs/pulumi-cloud/oidc/). - -The below sections show examples that correspond to each OIDC-supported service. - -#### Pulumi Deployments - -To enable valid operations on a specific stack, Google federated credentials require an exact match on the OIDC token subject claim. Unfortunately, the subject identifier does *not* currently allow wildcards. Therefore, you must create credentials for each permutation of the subject claim that is possible for the stack. - -For example, to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: - -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` - -#### Pulumi ESC - -The below is an example of a valid subject claim for the `project/development` environment of the `contoso` organization: - -* `pulumi:environments:org:contoso:env:project/development` - -The default format of the subject claim when `subjectAttributes` are not used is `pulumi:environments:org::env:/` - -{{< notes type="warning" >}} - -For environments within the legacy `default` project, the project will **not** be present in the subject to preserve backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is `pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom subject attribute it will resolve to only the environment name (e.g. `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). Due to this it is recommended to move your environments out of the `default` project for best security practices. - -{{< /notes >}} - -You can learn more about setting up OIDC for Pulumi ESC by referring to the [relevant Pulumi documentation](/docs/pulumi-cloud/access-management/oidc/). - -{{< notes type="warning" >}} - -If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the ESC environment will not work at this time. There is a [known issue](https://github.com/pulumi/pulumi/issues/14509) with the subject identifier's value sent to Azure from Pulumi. - -Use 'subjectAttributes' to customize the subject identifier to work with Pulumi IaC. Alternatively, you can use this syntax: `pulumi:environments:org:contoso:env:` when configuring the subject claim in your cloud provider account. Make sure to replace `contoso` with the name of your Pulumi organization and use the literal value of `` as shown. - -{{< /notes >}} - -##### Subject customization - -It is possible to customize the OIDC token subject claim by setting configuring the `subjectAttributes` setting. It expects an array of keys to include in it: - -* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other imported environments -* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and `subjectAttributes` are defined -* `pulumi.user.login`: the login identifier of the user opening the environment -* `pulumi.organization.login`: the login identifier of the organization - -The subject always contains the following prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and every key configured will be appended to this prefix. For example, consider the following environment: - -```yaml -values: - gcp: - login: - fn::open::gcp-login: - oidc: - ... - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login -``` - -The subject will be `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:userLogin`. Note how the keys and values are appended along with the prefix. - -## Configure OIDC in the Pulumi Console - -### Pulumi Deployments - -{{% notes "info" %}} -In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). -{{% /notes %}} - -1. Navigate to your stack in the Pulumi Console. -2. Open the stack's "Settings" tab. -3. Choose the "Deploy" panel. -4. Under the "OpenID Connect" header, toggle "Enable Google Cloud Integration". -5. Enter the numerical ID of your Google Cloud project in the "Project Number" field. -6. Enter the workload pool ID, identity provider ID, and service account email address in the "Workload Pool ID", "Identity Provider ID", and "Service Account Email Address" fields. -7. If desired, enter the stack's Google Cloud region in the "Region" field. This is typically unnecessary. -8. If you would like to constrain the duration of the temporary Google Cloud credentials, enter a duration in the form "XhYmZs" in the "Session Duration" field. -9. Click the "Save deployment configuration" button. - -With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Google Cloud credentials using the specified federated identity prior to running any pre-commands or Pulumi operations. The fetched credentials are published as a credential configuration in the `GOOGLE_CREDENTIALS` environment variable. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. - -### Pulumi ESC - -To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure that you have the correct organization selected in the left-hand navigation menu. Then: - -1. Click the **Environments** link. -2. Click the **Create environment** button. -3. Provide a project to create your new environment in and a name for your environment. - * This should be the same as the identifier provided in the subject claim of your federated credentials. -4. Click the **Create environment** button. - {{< video title="Creating a new Pulumi ESC environment" src="https://www.pulumi.com/uploads/create-new-environment.mp4" autoplay="true" loop="true" >}} -5. You will be presented with a split-pane document and table view. Delete the default placeholder content in the editor and replace it with the following code: - - ```yaml - values: - gcp: - login: - fn::open::gcp-login: - project: - oidc: - workloadPoolId: - providerId: - serviceAccount: - environmentVariables: - GOOGLE_PROJECT: ${gcp.login.project} - CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken} - pulumiConfig: - gcp:accessToken: ${gcp.login.accessToken} - ``` - -6. Replace ``, ``, ``, and `` with the values from the previous steps. -7. Scroll to the bottom of the page and click **Save**. - -You can validate that your configuration is working by running either of the following: - -* `esc open //` command of the [ESC CLI](/docs/esc-cli/) -* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) - -Make sure to replace ``, ``, and `` with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following: - -```bash -{ - "environmentVariables": { - "GOOGLE_PROJECT": 111111111111 - "CLOUDSDK_AUTH_ACCESS_TOKEN": "ya29...." - }, - "gcp": { - "login": { - "accessToken": "ya29.....", - "expiry": "2023-11-09T11:12:41Z", - "project": 111111111111, - "tokenType": "Bearer" - } - }, - "pulumiConfig": { - "gcp:accessToken": "ya29...." - } -} -``` - -To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the [relevant Pulumi documentation](/docs/pulumi-cloud/esc/providers/). - -## Automate OIDC Configuration - -Our [Examples](https://github.com/pulumi/examples) repository provides a wide variety of example automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and GCP, take a look at the following examples to help you get started: - -* [Configure OIDC for ESC in Pulumi Python](https://github.com/pulumi/examples/tree/master/gcp-py-oidc-provider-pulumi-cloud) diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/_index.md b/content/docs/pulumi-cloud/deployments/oidc/_index.md similarity index 50% rename from content/docs/pulumi-cloud/access-management/oidc/provider/_index.md rename to content/docs/pulumi-cloud/deployments/oidc/_index.md index 093c36a3963f..2a104df5b52c 100644 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/_index.md +++ b/content/docs/pulumi-cloud/deployments/oidc/_index.md @@ -1,53 +1,59 @@ --- -title_tag: OpenID Connect provider integration for Pulumi -meta_desc: This page provides an overview of how to configure OpenID Connect integration between - Pulumi and supported cloud providers. -title: OpenID provider -h1: OpenID Connect provider integration +title_tag: OIDC Setup for Pulumi Deployments +meta_desc: This page provides an overview of how to set up OIDC for Pulumi Deployments to obtain cloud provider credentials +title: OIDC Setup +h1: OIDC Setup for Pulumi Deployments meta_image: /images/docs/meta-images/docs-meta.png menu: cloud: - name: OpenID provider - parent: pulumi-cloud-access-management-oidc - weight: 3 - identifier: pulumi-cloud-access-management-oidc-provider + name: OIDC Setup + parent: pulumi-cloud-deployments + weight: 4 + identifier: pulumi-cloud-deployments-oidc aliases: +- /docs/pulumi-cloud/oidc/ +- /docs/pulumi-cloud/access-management/oidc/ - /docs/pulumi-cloud/oidc/provider/ +- /docs/pulumi-cloud/access-management/oidc/provider/ --- -Pulumi supports OpenID Connect (OIDC) integration across various services. OIDC enables secure interactions between Pulumi services and cloud providers by leveraging signed, short-lived tokens issued by the Pulumi Cloud. This mechanism enhances security by eliminating the necessity for hardcoded cloud provider credentials and facilitates the exchange of these tokens for short-term credentials from your cloud provider. +Pulumi Deployments supports OpenID Connect (OIDC) integration with cloud providers, enabling your deployments to obtain short-lived cloud credentials without storing long-term secrets. This page explains how to set up OIDC for Pulumi Deployments to access resources in your cloud provider accounts. + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for OIDC configuration](/docs/esc/environments/configuring-oidc/). +{{% /notes %}} ## Overview -For Pulumi services that make use of OIDC, every time that service runs, the Pulumi Cloud issues a new OIDC token specific to that run. The OIDC token is a short-lived, signed [JSON Web Token](https://jwt.io) that contains information about the service, and that can be exchanged for credentials from a cloud provider. For AWS, Azure, and Google Cloud, this credential exchange can be done automatically as part of the service setup. +Pulumi Deployments can act as an OIDC provider, issuing signed, short-lived tokens that can be exchanged for temporary credentials with your cloud provider. This eliminates the need to store long-term cloud provider credentials in Pulumi Cloud. -## Token Claims +Every time a deployment runs, Pulumi Cloud issues a new OIDC token specific to that run. The OIDC token is a short-lived, signed [JSON Web Token](https://jwt.io) that contains information about the deployment, and that can be exchanged for credentials from a cloud provider. For AWS, Azure, and Google Cloud, this credential exchange can be done automatically as part of the deployment setup. + +If you're looking for information about the permissions a deployment has within Pulumi Cloud itself (rather than cloud provider permissions), see the [Deployment Permissions documentation](/docs/pulumi-cloud/deployments/reference/#deployment-permissions). -### Pulumi Deployments +{{% notes type="info" %}} +Pulumi Cloud can also act as an OIDC client, accepting tokens from trusted identity providers. This is a separate feature from the Deployments OIDC integration and is documented in the [OIDC Client documentation](/docs/pulumi-cloud/access-management/oidc/client/). +{{% /notes %}} + +## Token Claims The token contains the standard audience, issuer, and subject claims: | Claim | Description | |-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `aud` | _(Audience)_ The name of the organization associated with the deployment. | -| `iss` | _(Issuer)_ The issuer of the OIDC token: `https://api.pulumi.com/oidc`. | +| `aud` | _(Audience)_ The name of the organization associated with the deployment. | +| `iss` | _(Issuer)_ The issuer of the OIDC token: `https://api.pulumi.com/oidc`. | | `sub` | _(Subject)_ The subject of the OIDC token. Because this value is often used for configuring trust relationships, the subject claim contains information about the associated service. Each component of the subject claim is also available as a custom claim. | -### Pulumi ESC - -For details on how Pulumi ESC environments interact with OIDC token claims, see [Configuring OIDC for Pulumi ESC](/docs/esc/environments/configuring-oidc/). - ## Custom claims -For some services, the token also contains custom claims that provide additional, service-specific information. You can find more details about the available custom claims below. - -### Pulumi Deployments +The token also contains custom claims that provide additional, deployment-specific information. -The format of the subject claim for this service is: +The format of the subject claim for deployments is: `pulumi:deploy:org::project::stack::operation::scope:write` -Valid custom claims for this service are listed in the table below: +Valid custom claims for deployments are listed in the table below: | Claim | Description | |--------------|---------------------------------------------------------------------------------| @@ -59,26 +65,21 @@ Valid custom claims for this service are listed in the table below: | `deployment` | The deployment version. | | `scope` | The scope of the OIDC token. Always `write`. | -### Pulumi ESC - -For details on how Pulumi ESC environments interact with OIDC custom claims, see [Configuring OIDC for Pulumi ESC](/docs/esc/access-management/oidc/). - ## Configuring trust relationships -As part of the process that exchanges your service's OIDC token for cloud provider credentials, the cloud provider must check the OIDC token's claims against the conditions configured in the provider's trust relationship. The configuration of a trust relationship varies depending on the cloud provider, but typically uses at least the Audience, Subject, and Issuer claims. These claims can be used to restrict trust to specific organizations, projects, stacks, environments etc: +As part of the process that exchanges your deployment's OIDC token for cloud provider credentials, the cloud provider must check the OIDC token's claims against the conditions configured in the provider's trust relationship. The configuration of a trust relationship varies depending on the cloud provider, but typically uses at least the Audience, Subject, and Issuer claims. These claims can be used to restrict trust to specific organizations, projects, stacks, etc: * The Issuer claim is typically used to validate that the token is properly signed. The issuer's public signing key is fetched and used to validate the token's signature. -* The Audience claim can vary between Deployment and ESC. For deployments this claim contains the name of the organization associated with the deployment. For ESC this claim contains the name of the organization, prefixed with the provider's platform (`aws`, `azure`, `gcp`). You can use this claim to restrict credentials to a specific organization or organizations. -* The Subject claim contains a variety of information about the service. You can use this claim to restrict credentials to a specific organization/scope. +* The Audience claim contains the name of the organization associated with the deployment. You can use this claim to restrict credentials to a specific organization. +* The Subject claim contains a variety of information about the deployment. You can use this claim to restrict credentials to a specific organization, project, stack, etc. * The various custom claims contain the same information as the Subject claim. If your cloud provider supports configuring trust relationships based on custom claims, you can use these claims for the same purposes as the Subject claim. The Subject and custom claims are particularly useful for configuring trust relationships, as they allow you to set very fine-grained conditions for credentials. -## Configuring OpenID Connect for your cloud provider +## Cloud Provider Setup -To configure OIDC for your cloud provider, refer to one of our guides: +To configure OIDC for your cloud provider with Pulumi Deployments, refer to one of these guides: -* [Configuring OIDC for AWS](/docs/pulumi-cloud/oidc/provider/aws/) -* [Configuring OIDC for Azure](/docs/pulumi-cloud/oidc/provider/azure/) -* [Configuring OIDC for Google Cloud](/docs/pulumi-cloud/oidc/provider/gcp/) -* [Configuring OIDC for Vault](/docs/pulumi-cloud/oidc/provider/vault/) +* [Configuring OIDC for AWS](/docs/pulumi-cloud/deployments/oidc/provider/aws/) +* [Configuring OIDC for Azure](/docs/pulumi-cloud/deployments/oidc/provider/azure/) +* [Configuring OIDC for Google Cloud](/docs/pulumi-cloud/deployments/oidc/provider/gcp/) diff --git a/content/docs/pulumi-cloud/deployments/oidc/aws.md b/content/docs/pulumi-cloud/deployments/oidc/aws.md new file mode 100644 index 000000000000..521c72d1f7a8 --- /dev/null +++ b/content/docs/pulumi-cloud/deployments/oidc/aws.md @@ -0,0 +1,89 @@ +--- +title_tag: Configure OpenID Connect for AWS with Pulumi Deployments | OIDC +meta_desc: This page describes how to configure OIDC token exchange in AWS for use with Pulumi Deployments +title: AWS +h1: Configuring OpenID Connect for AWS with Pulumi Deployments +meta_image: /images/docs/meta-images/docs-meta.png +menu: + cloud: + name: AWS + parent: pulumi-cloud-deployments-oidc + weight: 1 + identifier: pulumi-cloud-deployments-oidc-aws +aliases: +- /docs/guides/oidc/provider/aws +- /docs/intro/deployments/oidc/provider/aws/ +- /docs/pulumi-cloud/deployments/oidc/provider/aws/ +- /docs/pulumi-cloud/oidc/provider/aws/ +- /docs/pulumi-cloud/oidc/aws/ +- /docs/pulumi-cloud/access-management/oidc/provider/aws/ +--- + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for AWS OIDC configuration](/docs/esc/environments/configuring-oidc/aws/). +{{% /notes %}} + +This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with AWS. OIDC in AWS uses a web identity provider to assume an IAM role. Access to the IAM role is authorized using a trust policy that validates the contents of the OIDC token issued by Pulumi Cloud. + +## Create the identity provider + +1. In the navigation pane of the [IAM console](https://console.aws.amazon.com/iam/), choose **Identity providers**, and then choose **Add provider**. + {{< video title="Starting the Create Identity Provider wizard" src="https://www.pulumi.com/uploads/create-idp-start.mp4" autoplay="true" loop="true" >}} +2. In the **Provider type** section, click the radio button next to **OpenID Connect**. +3. For the **Provider URL**, provide the following URL: `https://api.pulumi.com/oidc` +4. For the **Audience** field, enter the name of your Pulumi organization. Then click **Add provider**. + +## Configure the IAM role and trust policy + +Once you have created the identity provider, you will see a notification at the top of your screen prompting you to assign an IAM role. + +1. Click the **Assign role** button. +2. Select the **Create a new role** option, then click **Next**. + {{< video title="Prompt for assigning IAM role" src="https://www.pulumi.com/uploads/assign-iam-role-prompt.mp4" autoplay="true" loop="true" >}} +3. On the IAM **Create role** page, ensure the **Web identity** radio button is selected. +4. In the **Web identity** section: + * Select `api.pulumi.com/oidc` under **Identity provider**. + * Select the name of your Pulumi organization under **Audience**. Then click **Next**. + {{< video title="Create IAM role wizard" src="https://www.pulumi.com/uploads/create-role-wizard.mp4" autoplay="true" loop="true" >}} +5. On the **Add permissions** page, select the permissions that you want to grant to your Pulumi deployments. Then click **Next**. + {{< notes type="info" >}} + For setting up an AWS Pulumi insights account, you can use the role `ReadOnlyAccess` managed by [aws](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html). + {{< /notes >}} + {{< video title="Adding S3 permissions to IAM role" src="https://www.pulumi.com/uploads/create-role-add-perms.mp4" autoplay="true" loop="true" >}} +6. Provide a name and optional description for the IAM role. Then click **Create role**. + {{< video title="Adding name and description to role then creating it" src="https://www.pulumi.com/uploads/create-role.mp4" autoplay="true" loop="true" >}} + +Make a note of the IAM role's ARN; it will be necessary to enable OIDC for your deployment. + +For more granular access control, edit the trust policy of your IAM role with [Token claims](/docs/pulumi-cloud/deployments/oidc/#custom-claims). The `sub` claim can be customized as shown below. + +In the following example, the role may only be assumed by stacks within the `Core` project of the `contoso` organization: + +```json +"Condition": { + "StringEquals": { + "api.pulumi.com/oidc:aud": "contoso" + }, + "StringLike": { + "api.pulumi.com/oidc:sub": "pulumi:deploy:org:contoso:project:Core:*" + } +} +``` + +## Configure OIDC via the Pulumi console + +{{% notes "info" %}} +In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). +{{% /notes %}} + +1. Navigate to your stack in the Pulumi Console. +2. Open the stack's "Settings" tab. +3. Choose the "Deploy" panel. +4. Under the "OpenID Connect" header, toggle "Enable AWS Integration". +5. Enter the ARN of the IAM role to created above in the "Role ARN" field. +6. Enter a name for the assumed role session in the "Session Name" field. +7. If you would like to use additional policies to further constrain the session's capabilities, enter the policies' ARNs separated by commas in the "Policy ARNs" field. +8. If you would like to constrain the duration of the assumed role session, enter a duration in the form "XhYmZs" in the "Session Duration" field. +9. Click the "Save deployment configuration" button. + +With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. diff --git a/content/docs/pulumi-cloud/deployments/oidc/azure.md b/content/docs/pulumi-cloud/deployments/oidc/azure.md new file mode 100644 index 000000000000..b26f1b1dd1d8 --- /dev/null +++ b/content/docs/pulumi-cloud/deployments/oidc/azure.md @@ -0,0 +1,106 @@ +--- +title_tag: Configure OpenID Connect for Azure with Pulumi Deployments | OIDC +meta_desc: This page describes how to configure OIDC token exchange in Azure for use with Pulumi Deployments +title: Azure +h1: Configuring OpenID Connect for Azure with Pulumi Deployments +meta_image: /images/docs/meta-images/docs-meta.png +menu: + cloud: + name: Azure + parent: pulumi-cloud-deployments-oidc + weight: 2 + identifier: pulumi-cloud-deployments-oidc-azure +aliases: +- /docs/guides/oidc/provider/azure +- /docs/intro/deployments/oidc/provider/azure/ +- /docs/pulumi-cloud/deployments/oidc/provider/azure/ +- /docs/pulumi-cloud/oidc/provider/azure/ +- /docs/pulumi-cloud/oidc/azure/ +- /docs/pulumi-cloud/access-management/oidc/provider/azure/ +--- + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for Azure OIDC configuration](/docs/esc/environments/configuring-oidc/azure/). +{{% /notes %}} + +This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with Azure. OIDC in Azure uses [workload identity federation](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation) to access Azure resources via a Microsoft Entra App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by Pulumi Cloud. + +## Prerequisites + +* You must have access in the Azure Portal to create and configure Microsoft Entra App registrations. + +{{< notes type="warning" >}} +Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the [official Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). +{{< /notes >}} + +## Create a Microsoft Entra application + +In the navigation pane of the [Microsoft Entra console](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview): + +1. Select **App registrations** and then click **New registration**. +2. Provide a name for your application (ex: `pulumi-deployments-oidc-app`). +3. In the **Supported account types** section, select **Accounts in this organizational directory only**. +4. Click **Register**. + +After the Microsoft Entra application has been created, take note of the following details: + +* Subscription ID +* Application (client) ID +* Directory (tenant) ID + +These values will be necessary when enabling OIDC for your service. + +## Add federated credentials + +Once you have created your new application registration, you will be redirected to the application's **Overview** page. In the left navigation menu: + +1. Navigate to the **Certificates & secrets** pane. +2. Select the **Federated credentials** tab. +3. Click on the **Add credential** button. This will start the "Add a credential" wizard. +4. In the wizard, select **Other Issuer** as the **Federated credential scenario**. +5. Fill in the remaining form fields as follows: + * **Issuer:** `https://api.pulumi.com/oidc` + * **Subject Identifier:** must be a valid subject claim (see examples at the end of this section). + * **Name:** An arbitrary name for the credential, e.g. "pulumi-oidc-credentials" + * **Audience:** Enter the name of your Pulumi organization. + +### Subject claim examples + +Because Azure's federated credentials require that the subject identifier exactly matches an OIDC token's subject claim, this process must be repeated for each permutation of the subject claim that is possible for a stack. For example, in order to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: + +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` + +## Create a service principal + +To provide Pulumi services the ability to deploy, manage, and interact with Azure resources, you need to associate your Microsoft Entra application with your Subscription or Resource Group. + +1. Navigate to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV1) page of the Azure portal. +2. Select the subscription to create the service principal in. + * If you want to limit access to a specific resource group, go to the [Resource Groups](https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups) page instead and select the desired resource group. +3. In the left navigation menu, select **Access control (IAM)**. +4. Click **Add** > **Add role assignment** to be taken to the **Add role assignment** wizard. +5. Under the **Job function roles** tab, select the desired role from the list, then click **Next**. +6. Select **User, group, or service principal**, then click **Select members** +7. Enter the name of the application you created in a previous step, select it from the list, then click **Select**. +8. Click **Next** and then **Review + assign**. + +## Configure OIDC in the Pulumi console + +{{% notes "info" %}} +In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). +{{% /notes %}} + +1. Navigate to your stack in the [Pulumi Console](https://app.pulumi.com/). +2. Open the stack's **Settings** tab. +3. Choose the **Deploy** panel. +4. Under the **OpenID Connect** header, toggle **Enable Azure Integration**. +5. Enter the client and tenant IDs for the app registration created above in the **Client ID** and **Tenant ID** fields, respectively. +6. Enter the ID of the subscription you want to use in the **Subscription ID** field. +7. Click the **Save deployment configuration** button. + +With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Azure credentials using the specified AAD App prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `ARM_CLIENT_ID`, `ARM_TENANT_ID`, and `ARM_SUBSCRIPTION_ID` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. + +If you want an example of how to automate the configuration of OIDC for Pulumi Deployments with Azure, you can refer to [this TypeScript example](https://github.com/pulumi/workshops/blob/main/az-pulumi-deployments/az-oidc-setup/index.ts). diff --git a/content/docs/pulumi-cloud/deployments/oidc/gcp.md b/content/docs/pulumi-cloud/deployments/oidc/gcp.md new file mode 100644 index 000000000000..84924ae7f9e7 --- /dev/null +++ b/content/docs/pulumi-cloud/deployments/oidc/gcp.md @@ -0,0 +1,99 @@ +--- +title_tag: Configure OpenID Connect for Google Cloud with Pulumi Deployments | OIDC +meta_desc: This page describes how to configure OIDC token exchange in Google Cloud for use with Pulumi Deployments +title: Google Cloud +h1: Configuring OpenID Connect for Google Cloud with Pulumi Deployments +meta_image: /images/docs/meta-images/docs-meta.png +menu: + cloud: + name: Google Cloud + parent: pulumi-cloud-deployments-oidc + weight: 3 + identifier: pulumi-cloud-deployments-oidc-gcp +aliases: +- /docs/guides/oidc/provider/gcp +- /docs/intro/deployments/oidc/provider/gcp/ +- /docs/pulumi-cloud/deployments/oidc/provider/gcp/ +- /docs/pulumi-cloud/oidc/provider/gcp/ +- /docs/pulumi-cloud/oidc/gcp/ +- /docs/pulumi-cloud/access-management/oidc/provider/gcp/ +--- + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for Google Cloud OIDC configuration](/docs/esc/environments/configuring-oidc/gcp/). +{{% /notes %}} + +This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with Google Cloud. OIDC in Google Cloud uses [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) to allow access to resources. Access to the resources is authorized using attribute conditions that validate the contents of the OIDC token issued by Pulumi Cloud. + +## Prerequisites + +* You must create a [Google Cloud project with the required APIs enabled](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure) + +{{< notes type="warning" >}} +Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official [Google Cloud documentation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers). +{{< /notes >}} + +## Create a Workload Identity Pool and Provider + +1. Navigate to the [Workload Identity Pools page](https://console.cloud.google.com/projectselector2/iam-admin/workload-identity-pools) in the Google Cloud console. +2. Select your Google Cloud project. +3. Click the **Create Pool** button. +4. Provide a name and an optional description. then click **Continue** +5. In the **Add a provider to pool** dropdown, select **OpenID Connect (OIDC)**. +6. Provide a name for the provider. +7. In the **Issuer** field, enter `https://api.pulumi.com/oidc`. +8. In the **Audiences** section, select the **Allowed audiences** radio button. Enter the name of your Pulumi organization. Then click **Continue**. +9. In the **Configure provider attributes** section, provide the value of `assertion.sub` in the **OIDC 1** field. Then click **Save**. + +## Configure a Service Account + +Once you have created your workload identity pool and provider, you will be directed to the pool details page. If you already have an appropriate service account created, skip ahead to the steps found in the [Grant access to the service account](/docs/pulumi-cloud/oidc/provider/gcp/#grant-access-to-the-service-account) section. Otherwise, continue through the steps below to create a new one. + +### Create a new service account + +1. Navigate to the [Service Accounts](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts) page. +2. Select your Google Cloud project. +3. Click "Create Service Account". +4. Enter a value for the **Service account name** field. Then click **Create And Continue** + * The **Service account ID** field will auto-populate based on this value. +5. In the **Grant this service account access to project** section, select the role(s) that provides the relevant access to your Pulumi service. Then click **Continue**. +6. Leave the values in the next section blank and click **Done**. + +### Grant access to the service account + +1. In your workload identity pool's details page, click the **Grant Access** button. +2. In the **Select service account** dropdown, select the desired service account to associate with the pool. +3. Under the **Select principals** section, click the **Only identities matching the filter** radio button. +4. In the **Attribute name** dropdown, select **Subject**. +5. In the **Attribute value** field, provide a valid subject claim (see examples at the end of this section). Then click **Save**. + +Make a note of the project ID, workload identity pool ID, provider ID, and service account email address from the previous steps. These will be necessary to enable OIDC for your service. + +### Subject claim examples + +To enable valid operations on a specific stack, Google federated credentials require an exact match on the OIDC token subject claim. Unfortunately, the subject identifier does *not* currently allow wildcards. Therefore, you must create credentials for each permutation of the subject claim that is possible for the stack. + +For example, to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: + +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` + +## Configure OIDC in the Pulumi Console + +{{% notes "info" %}} +In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). +{{% /notes %}} + +1. Navigate to your stack in the Pulumi Console. +2. Open the stack's "Settings" tab. +3. Choose the "Deploy" panel. +4. Under the "OpenID Connect" header, toggle "Enable Google Cloud Integration". +5. Enter the numerical ID of your Google Cloud project in the "Project Number" field. +6. Enter the workload pool ID, identity provider ID, and service account email address in the "Workload Pool ID", "Identity Provider ID", and "Service Account Email Address" fields. +7. If desired, enter the stack's Google Cloud region in the "Region" field. This is typically unnecessary. +8. If you would like to constrain the duration of the temporary Google Cloud credentials, enter a duration in the form "XhYmZs" in the "Session Duration" field. +9. Click the "Save deployment configuration" button. + +With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Google Cloud credentials using the specified federated identity prior to running any pre-commands or Pulumi operations. The fetched credentials are published as a credential configuration in the `GOOGLE_CREDENTIALS` environment variable. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file.