Skip to content

Commit a2eceaa

Browse files
Document OIDC subject claim drop-when-empty behaviour (#3118)
1 parent d4e9880 commit a2eceaa

2 files changed

Lines changed: 28 additions & 11 deletions

File tree

src/pages/docs/infrastructure/accounts/aws/index.md

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
layout: src/layouts/Default.astro
33
pubDate: 2023-01-01
4-
modDate: 2025-08-18
4+
modDate: 2026-04-27
55
title: AWS accounts
66
description: Configure your infrastructure so Octopus can deploy infrastructure to AWS and run scripts against the AWS CLI.
77
navOrder: 20
@@ -82,7 +82,7 @@ Please read [OpenID Connect Subject Identifier](/docs/infrastructure/accounts/op
8282

8383
By default, the role trust policy does not have any conditions on the subject identifier. To lock the role down to particular usages you need to modify the [trust policy conditions](https://oc.to/aws-iam-policy-conditions) and add a condition for the `sub`.
8484

85-
For example, to lock an identity role to a specific Octopus environment, you can update the conditions:
85+
For example, to lock an identity role to a specific Octopus environment for an untenanted deployment, you can update the conditions:
8686

8787
```json
8888
"Condition": {
@@ -93,7 +93,18 @@ For example, to lock an identity role to a specific Octopus environment, you can
9393
}
9494
```
9595

96-
`default`, `aws-oidc-testing` and `dev` are the slugs of their respective Octopus resources.
96+
`default`, `aws-oidc-testing`, and `dev` are the slugs of their respective Octopus resources. The `tenant:` segment is omitted because this deployment has no tenant value — when a selected subject key has no value at runtime, both the key and the value are dropped from the subject.
97+
98+
For a tenanted deployment, the subject also includes the tenant slug:
99+
100+
```json
101+
"Condition": {
102+
"StringEquals": {
103+
"example.octopus.app:sub": "space:default:project:aws-oidc-testing:tenant:acme:environment:dev",
104+
"example.octopus.app:aud": "example.octopus.app"
105+
}
106+
}
107+
```
97108

98109
AWS policy conditions also support complex matching with wildcards and `StringLike` expressions.
99110

src/pages/docs/infrastructure/accounts/openid-connect.md

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
layout: src/layouts/Default.astro
33
pubDate: 2023-09-22
4-
modDate: 2025-03-28
4+
modDate: 2026-04-27
55
title: OpenID Connect
66
description: How to customize the Subject Claim for OpenID Connect authentication
77
navOrder: 70
@@ -41,11 +41,13 @@ The subject can be modified for the three different uses within Octopus:
4141

4242
### Subject key parts
4343

44-
- Only the requested keys for a **Subject** claim will be include in the generated **Subject** claim
45-
- Any Octopus resource types included in the **Subject** claim will use the slug value for the Octopus resource. The slug value is generated from the name of the Octopus resource when it was created, it can be edited on the edit page of resource type.
44+
- Only the requested keys for a **Subject** claim will be included in the generated **Subject** claim.
45+
- Any Octopus resource types included in the **Subject** claim will use the slug value for the Octopus resource. The slug value is generated from the name of the Octopus resource when it was created, and it can be edited on the edit page of the resource type.
46+
- If a requested key has no value (for example, **Tenant** on an untenanted deployment, or **Runbook** on a deployment), both the key and the value are dropped from the **Subject** claim.
4647
- The **Subject** claim parts will always be in the following order:
4748
- **Space**
4849
- **Project**
50+
- **Project Group**
4951
- **Runbook**
5052
- **Tenant**
5153
- **Environment**
@@ -60,21 +62,25 @@ The **Subject** claim for a deployment or a runbook supports the following parts
6062

6163
- **Space** slug
6264
- **Project** slug
65+
- **Project Group** slug
6366
- **Runbook** slug
6467
- **Tenant** slug
6568
- **Environment** slug
6669
- **Account** slug
6770
- **Type**
68-
- **Feed** slug
6971

70-
The default format for a deployment and runbook is `space:[space-slug]:project:[project-slug]:tenant:[tenant-slug]:environment:[environment-slug]`.
72+
The default keys for a deployment and runbook are **Space**, **Project**, **Tenant**, and **Environment**. For a tenanted deployment, this produces `space:[space-slug]:project:[project-slug]:tenant:[tenant-slug]:environment:[environment-slug]`. For an untenanted deployment, the **Tenant** segment is dropped, giving `space:[space-slug]:project:[project-slug]:environment:[environment-slug]`.
7173

7274
The value for the type is either `deployment` or `runbook`.
7375

7476
When changing the **Subject** claim format for a deployment and runbook, the runbook value will not be included (if specified) when running a deployment.
7577

76-
For example, in the **Default** space, you have a project called **Deploy Web App**, and a runbook called **Restart**. If you set the **Subject** claim format to `space`, `project`, `runbook` and `type`, when running a deployment the **Subject** claim will be `space:default:project:deploy-web-app:type:deployment` and for the run of the runbook the **Subject** claim would be `space:default:project:deploy-web-app:runbook:restart:type:runbook`.
77-
This is using the default generated slug values for the space, project and runbook.
78+
For example, in the **Default** space, you have a project called **Deploy Web App**, and a runbook called **Restart**. If you set the **Subject** claim format to `space`, `project`, `runbook` and `type`, when running a deployment the **Subject** claim will be `space:default:project:deploy-web-app:type:deployment`, and for the run of the runbook the **Subject** claim would be `space:default:project:deploy-web-app:runbook:restart:type:runbook`.
79+
This is using the default generated slug values for the space, project, and runbook.
80+
81+
:::div{.warning}
82+
Make sure your cloud provider's trust policy matches the **Subject** your deployments actually produce (tenanted or untenanted, deployment or runbook), not just the keys you selected.
83+
:::
7884

7985
## Health Checks {#health-checks}
8086

@@ -117,7 +123,7 @@ Each of these claims will be prefixed with `https://octopus.com/claims/` and wil
117123
"https://octopus.com/claims/tenant": "tenant-slug",
118124
"https://octopus.com/claims/type": "deployment", // or runbook for a runbook run
119125
"https://octopus.com/claims/account": "account-slug",
120-
"sub": "space:[space-slug]:project:[project-slug]:environment:[environment-slug]"
126+
"sub": "space:[space-slug]:project:[project-slug]:environment:[environment-slug]" // tenant segment dropped because this example is untenanted
121127
}
122128
```
123129

0 commit comments

Comments
 (0)