OIDC

Buddy supports OIDC for pipeline integration with Google cloud services, and SSO login. In this guide you will learn how to configure OIDC for pipelines.

OIDC provider configuration

  1. Sign to your Google Cloud Console and go to IAM & Admin.
  2. Switch to Workload Identity Federation and click +Create Pool:

  1. Enter the name and description and click Continue.
  2. Switch the provider type to OpenID Connect (OIDC) and fill in the details:

    • Provider name → e.g. Buddy
    • Provider URLhttps://oidc.buddyusercontent.com (US accounts) or https://eu-oidc.buddyusercontent.com (EU accounts)

  1. Copy the audience URL and click Continue.
  2. Map the subject attribute to assertion.sub and click Save to proceed.

You can ignore the conditions for now – we shall configure them later upon adding the integration in Buddy.
  1. Once added, click +Grant access and define the service account and principals for your pool.
  2. A pop-up will appear from which you can download the configuration file to client libraries. Set the provider to the one created earlier and fill in the details:

    • OIDC ID token path/buddy
    • Format type → JSON

  1. Download the config file to finish.

Buddy configuration

  1. Sign in to your Buddy account and go to Integrations.
  2. Click New integration and select Google Cloud.
  3. Define the integration details:

    • enter the name and define the sharing scope
    • switch the authorization method to OIDC
    • enter the name of the project
    • upload the JSON file as the Client Library Config
    • paste the audience copied from the OIDC provider

  1. Click the button to finish configuration.

Restricting provider to integration

To ensure that your OIDC provider is restricted exclusively to this integration, you must define additional conditions for it.
  1. Go to the created integration in Buddy and copy the Subject.
  2. Switch back to Google and go to Workload Identity Federation.
  3. Expand the pool that you configured beforehand, and click edit by the provider's name.

  1. Add the following attribute condition:

    • google.subject == GOOGLE_INTEGRATION_SUBJECT

  1. Click Save to finish.

Narrowing restrictions

The mappings and conditions below are just an example of the configuration process. Make sure to properly adjust the attributes according to your safety requirements and update the placeholders with actual values (e.g. swap REF_NAME to master).

You can add more conditions if required. For example, if you want to restrict the integration to pipeline runs executed for the main branch in a specific project, you must map additional attributes for claims described in the OpenID claims.

Mappings:

  • attribute.repoassertion.PROJECT_NAME
  • attribute.branchassertion.REF_NAME

Conditions:

google.subject == GOOGLE_INTEGRATION_SUBJECT &&
attribute.repo == PROJECT_NAME &&
attribute.branch == REF_NAME &&

Last modified on August 17, 2023

Questions?

Not sure how to configure a pipeline for your process? Reach out on the live-chat or contact support

Get Started

Sign up for free and deploy your project in less than 10 minutes.