I’m trying to use OIDC to use Workload Identity Federation in GCP. However GCP imposes a 127 byte limit on the subject. Workforce Identity Federation | IAM Documentation | Google Cloud
Also, I’m using the gcp-workload-identity-federation-buildkite-plugin
GitHub - buildkite-plugins/gcp-workload-identity-federation-buildkite-plugin: 💨 Assume a Google Cloud service account using workload identity federation
Can the subject be configured or shortened in any way?
Hello, @chris.lim and welcome to the Buildkite Community!
Currently, the OIDC subject format is static and cannot be modified or shortened.
This was already brought to our attention in the past so I’m raising this issue with our Product team.
A little workaround that can potentially help with not going over the 127-byte limit is using a short pipeline name that will result in a shorter pipeline slug that’ll take up fewer bytes in the subject.
Best,
Karen
Hi Chris,
We encountered this ourselves recently too. We documented a workaround here which works well: GitHub - buildkite-plugins/gcp-workload-identity-federation-buildkite-plugin: 💨 Assume a Google Cloud service account using workload identity federation
Thanks,
Chris
Thank you so much! I missed the mapping on the first read through. It does indeed work well.
