You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, the role trust policy does not have any conditions on the subject identifier. To lock the role down to particular usages you need to modify the [trust policy conditions](https://oc.to/aws-iam-policy-conditions) and add a condition for the `sub`.
84
84
85
-
For example, to lock an identity role to a specific Octopus environment, you can update the conditions:
85
+
For example, to lock an identity role to a specific Octopus environment for an untenanted deployment, you can update the conditions:
86
86
87
87
```json
88
88
"Condition": {
@@ -93,7 +93,18 @@ For example, to lock an identity role to a specific Octopus environment, you can
93
93
}
94
94
```
95
95
96
-
`default`, `aws-oidc-testing` and `dev` are the slugs of their respective Octopus resources.
96
+
`default`, `aws-oidc-testing`, and `dev` are the slugs of their respective Octopus resources. The `tenant:` segment is omitted because this deployment has no tenant value — when a selected subject key has no value at runtime, both the key and the value are dropped from the subject.
97
+
98
+
For a tenanted deployment, the subject also includes the tenant slug:
Copy file name to clipboardExpand all lines: src/pages/docs/infrastructure/accounts/openid-connect.md
+14-8Lines changed: 14 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
layout: src/layouts/Default.astro
3
3
pubDate: 2023-09-22
4
-
modDate: 2025-03-28
4
+
modDate: 2026-04-27
5
5
title: OpenID Connect
6
6
description: How to customize the Subject Claim for OpenID Connect authentication
7
7
navOrder: 70
@@ -41,11 +41,13 @@ The subject can be modified for the three different uses within Octopus:
41
41
42
42
### Subject key parts
43
43
44
-
- Only the requested keys for a **Subject** claim will be include in the generated **Subject** claim
45
-
- Any Octopus resource types included in the **Subject** claim will use the slug value for the Octopus resource. The slug value is generated from the name of the Octopus resource when it was created, it can be edited on the edit page of resource type.
44
+
- Only the requested keys for a **Subject** claim will be included in the generated **Subject** claim.
45
+
- Any Octopus resource types included in the **Subject** claim will use the slug value for the Octopus resource. The slug value is generated from the name of the Octopus resource when it was created, and it can be edited on the edit page of the resource type.
46
+
- If a requested key has no value (for example, **Tenant** on an untenanted deployment, or **Runbook** on a deployment), both the key and the value are dropped from the **Subject** claim.
46
47
- The **Subject** claim parts will always be in the following order:
47
48
-**Space**
48
49
-**Project**
50
+
-**Project Group**
49
51
-**Runbook**
50
52
-**Tenant**
51
53
-**Environment**
@@ -60,21 +62,25 @@ The **Subject** claim for a deployment or a runbook supports the following parts
60
62
61
63
-**Space** slug
62
64
-**Project** slug
65
+
-**Project Group** slug
63
66
-**Runbook** slug
64
67
-**Tenant** slug
65
68
-**Environment** slug
66
69
-**Account** slug
67
70
-**Type**
68
-
-**Feed** slug
69
71
70
-
The default format for a deployment and runbook is `space:[space-slug]:project:[project-slug]:tenant:[tenant-slug]:environment:[environment-slug]`.
72
+
The default keys for a deployment and runbook are **Space**, **Project**, **Tenant**, and **Environment**. For a tenanted deployment, this produces `space:[space-slug]:project:[project-slug]:tenant:[tenant-slug]:environment:[environment-slug]`. For an untenanted deployment, the **Tenant** segment is dropped, giving `space:[space-slug]:project:[project-slug]:environment:[environment-slug]`.
71
73
72
74
The value for the type is either `deployment` or `runbook`.
73
75
74
76
When changing the **Subject** claim format for a deployment and runbook, the runbook value will not be included (if specified) when running a deployment.
75
77
76
-
For example, in the **Default** space, you have a project called **Deploy Web App**, and a runbook called **Restart**. If you set the **Subject** claim format to `space`, `project`, `runbook` and `type`, when running a deployment the **Subject** claim will be `space:default:project:deploy-web-app:type:deployment` and for the run of the runbook the **Subject** claim would be `space:default:project:deploy-web-app:runbook:restart:type:runbook`.
77
-
This is using the default generated slug values for the space, project and runbook.
78
+
For example, in the **Default** space, you have a project called **Deploy Web App**, and a runbook called **Restart**. If you set the **Subject** claim format to `space`, `project`, `runbook` and `type`, when running a deployment the **Subject** claim will be `space:default:project:deploy-web-app:type:deployment`, and for the run of the runbook the **Subject** claim would be `space:default:project:deploy-web-app:runbook:restart:type:runbook`.
79
+
This is using the default generated slug values for the space, project, and runbook.
80
+
81
+
:::div{.warning}
82
+
Make sure your cloud provider's trust policy matches the **Subject** your deployments actually produce (tenanted or untenanted, deployment or runbook), not just the keys you selected.
83
+
:::
78
84
79
85
## Health Checks {#health-checks}
80
86
@@ -117,7 +123,7 @@ Each of these claims will be prefixed with `https://octopus.com/claims/` and wil
0 commit comments