Skip to main content
Version: 1.6.x

JWT Identity Matcher

JwtIdentityMatcher specifies matching workloads with JWT identities.

For example, the following configuration will match only those workloads that were authenticated by means of an OIDC ID Token issued by https://mycompany.corp for one of the subjects us-east-datacenter1-vm007 or us-west-datacenter2-vm008:

issuer: "https://mycompany.corp"
subjects:
- "us-east-datacenter1-vm007"
- "us-west-datacenter2-vm008"

In those cases where an OIDC ID Token from a given issuer includes a map of fine-grained attributes associated with a workload, it is possible to define rules that match those attributes.

E.g., the following configuration will match a set workloads that were authenticated by means of an OIDC ID Token issued by https://mycompany.corp and include 1) attribute region with one of the values us-east or us-west and 2) attribute instance_role with the value app-ratings:

issuer: "https://mycompany.corp"
attributes:
- name: "region"
  values:
  - "us-east"
  - "us-west"
- name: "instance_role"
  values:
  - "app-ratings"

AttributeMatcher

AttributeMatcher specifies a matching attribute.

FieldDescriptionValidation Rule

name

string
REQUIRED
OIDC ID Token must include an attribute with the given name.

E.g., region, instance_role, etc.

string = {
  min_len: 1
}

values

List of string
OIDC ID Token must include the attribute with one of the following values.

E.g., us-east, app-ratings, etc.

Empty list means match any value.

repeated = {
  items: {string:{min_len:1}}
}

JwtIdentityMatcher

JwtIdentityMatcher specifies matching workloads with JWT identities.

FieldDescriptionValidation Rule

issuer

string
REQUIRED
Match workloads authenticated by means of an OIDC ID Token issued by a given issuer.

The value must be a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

E.g., https://mycompany.corp, https://accounts.google.com, https://sts.windows.net/9edbd6c9-0e5b-4cfd-afec-fdde27cdd928/, etc.

See https://openid.net/specs/openid-connect-core-1_0.html#IDToken

string = {
  prefix: https://
  uri: true
}

subjects

List of string
Match workloads authenticated by means of an OIDC ID Token issued for one of the subjects in a given list.

The value must consist of ASCII characters.

E.g., us-east-datacenter1-vm007.

Empty list means match OIDC ID Tokens with any subject.

repeated = {
  items: {string:{pattern:^[\u0000-]+$}}
}

attributes

List of tetrateio.api.onboarding.authorization.jwt.v1alpha1.AttributeMatcher
REQUIRED
Match workloads authenticated by means of an OIDC ID Token that includes all of the following attributes.

Empty list means match OIDC ID Tokens with any attributes.

repeated = {
  items: {message:{required:true}}
}