-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth.go
92 lines (83 loc) · 2.78 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package main
import (
"fmt"
"os"
"os/exec"
)
func AuthServiceAccount(cfg *config, projectNumber string) error {
fmt.Printf(`
|--------------------------------------------------------------------------------------|
| Service Accounts |
| Using an attribute from the generated JWT we can select which service account |
| to associate with the GitHub job auth request, and therefore limiting access |
| to the permissions associated with that account. |
| |
| For best security, create a unique service account for each workflow. |
|--------------------------------------------------------------------------------------|
`)
if cfg.serviceAccount == "" {
cfg.serviceAccount = GetInput("Paste the service account email address (e.g. deploy-sa@project-id.iam.gserviceaccount.com):")
}
fmt.Println()
fmt.Printf(`Select the attribute to use for service account association:
1. workflow [SUGGESTED]
2. repository
3. environment
4. actor
5. ref
`)
attributeNum := GetInput("Enter number (1-5):")
var attribute string
switch attributeNum {
case "1":
attribute = "workflow"
case "2":
attribute = "repository"
case "3":
attribute = "environment"
case "4":
attribute = "actor"
case "5":
attribute = "ref"
default:
return fmt.Errorf("invalid selection: %s", attributeNum)
}
fmt.Println()
switch attribute {
case "repository":
fmt.Println("Expected format for [repository]: owner/repo")
fmt.Println()
fmt.Println("Examples:")
fmt.Println("- unacast/actions")
fmt.Println("- redis/go-redis")
case "environment":
fmt.Println("Expected format for [environment]: env")
fmt.Println()
fmt.Println("Examples:")
fmt.Println("- dev")
fmt.Println("- prod")
case "workflow":
fmt.Println("Expected format for [workflow]: workflow-filename (without .yml)")
fmt.Println()
fmt.Println("Examples:")
fmt.Println("- build")
fmt.Println("- deploy")
case "actor":
fmt.Println("Expected format for [actor]: username")
case "ref":
fmt.Println("Expected format for [ref]: refs/heads/branch-name")
fmt.Println()
fmt.Println("Examples:")
fmt.Println("- refs/heads/main")
fmt.Println("- refs/heads/feature-branch")
}
value := GetInput("Enter value [CASE SENSITIVE]:")
cmd := exec.Command("gcloud", "iam", "service-accounts", "add-iam-policy-binding",
cfg.serviceAccount,
"--project", cfg.projectID,
"--role", "roles/iam.workloadIdentityUser",
"--member", fmt.Sprintf("principalSet://iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/attribute.%s/%s",
projectNumber, cfg.poolName, attribute, value))
cmd.Stderr = os.Stderr
return cmd.Run()
}