Cyclenerd
commented
1 week ago The module is intended to provide a simple option. If you want to do more customization and you are sure what you are doing, you can of course use the actual Terraform resource.
principalSet is listed for attribute values in the official documentation:
https://cloud.google.com/iam/docs/workload-identity-federation#principal-types
And is also used by colleagues from Google Professional Services: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/0-bootstrap/identity-providers-defs.tf#L46
I personally also never had a problem with principalSet (like 403).
The module currently does not support providing principals in the format:
principal://iam.googleapis.com/${var.pool_name}/subject/${local.value}Please add support for using not only
principalSet://, but alsoprincipal://.Additionally, there is a need to use more than two fixed attributes "attribute.sub" and "attribute.repository".
The lack of this capability required a lot of time to identify the problem with 403 . Issue with GutHub Actions