This repository has been archived by the owner on Oct 31, 2024. It is now read-only.
generated from actions/container-toolkit-action
-
Notifications
You must be signed in to change notification settings - Fork 15
/
github-authn-jwt.yml
64 lines (49 loc) · 1.76 KB
/
github-authn-jwt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
- !policy
id: conjur/authn-jwt/github
body:
- !webservice
#Mandatory variable: The JWT provider URI
#Uncomment either 'provider-uri' OR 'jwks-uri'
#- !variable
# id: provider-uri
# jwks-uri for GitHub Actions: https://token.actions.githubusercontent.com/.well-known/jwks
- !variable
id: jwks-uri
#Optional variables
#Uncomment one or all of the following optional variables.
#Note: If you uncomment 'token-app-property' you must also uncomment 'identity-path',
#and vice versa;
#In this example, "token-app-property" is set to "workflow"
#Please refer to README.md for detailed policy and commands
- !variable
id: token-app-property
#In this example, "identity-path" is set to "/github-apps"
#Please refer to README.md for detailed policy and commands
- !variable
id: identity-path
#"issuer" for GitHub Actions: https://token.actions.githubusercontent.com
- !variable
id: issuer
#In this example, "enforced-claims" is set to "workflow,repository"
#Please refer to README.md for detailed policy and commands
- !variable
id: enforced-claims
#- !variable
# id: mapping-claims
#- !variable
# id: audience
#Group of applications that can authenticate using this JWT Authenticator
- !group apps
- !permit
role: !group apps
privilege: [read, authenticate]
resource: !webservice
- !webservice
id: status
#Group of users who can check the status of the JWT Authenticator
- !group
id: operators
- !permit
role: !group operators
privilege: [read]
resource: !webservice status