将 Github 身份提供商添加到 AWS Cognito
Add Github Identity Provider to AWS Cognito
我创建了一个 Github OAuth 应用程序,我正在尝试将该应用程序作为 OIDC 应用程序添加到 AWS Cognito。
但是,我无法在 Github 文档的任何地方找到关于端点和数据的适当概述。
以下字段为必填项:
发行者 -> ?
授权端点 => https://github.com/login/oauth/authorize (?)
令牌端点 => https://github.com/login/oauth/access_token (?)
用户信息端点 => https://api.github.com/user (?)
Jwks uri => ?
我在任何地方都找不到 Jwks uri。任何帮助将不胜感激。
似乎没有办法开箱即用。
https://github.com/TimothyJones/github-cognito-openid-wrapper 似乎是实现此功能的一种方式。
如果任何 Cognito 开发人员看到此内容,请添加 Github/Gitlab/Bitbucket 支持。
GitLab 14.7(2022 年 1 月)可能有帮助:
OpenID Connect support for GitLab CI/CD
Connecting GitLab CI/CD to cloud providers using environment variables works fine for many use cases.
However, it doesn’t scale well if you need advanced permissions management or would prefer a signed, short-lived, contextualized connection to your cloud provider.
GitLab 12.10 shipped initial support for JWT token-based connection (CI_JOB_JWT) to enable HashiCorp Vault users to safely retrieve secrets. That implementation was restricted to Vault, while the logic we built JWT upon opened up the possibility to connect to other providers as well.
In GitLab 14.7, we are introducing a CI_JOB_JWT_V2 environment variable that can be used to connect to AWS, GCP, Vault, and likely many other cloud services.
Please note that this is an alpha feature and not ready for production use. Your feedback is welcomed in this epic.
For AWS specifically, with the new CI_JOB_JWT_V2 variable, you can connect to AWS to retrieve secrets, or to deploy within your account. You can also manage access rights to your cluster using AWS IAM roles.
You can read more on setting up OIDC connection with AWS.
The new variable is automatically injected into your pipeline but is not backward compatible with the current CI_JOB_JWT.
Until GitLab 15.0, the CI_JOB_JWT will continue to work normally but this will change in a future release. We will notify you about the change in time.
The secrets stanza today uses the CI_JOB_JWT_V1 variable. If you use the secrets stanza, you don’t have to make any changes yet.
See Documentation and Issue.
我创建了一个 Github OAuth 应用程序,我正在尝试将该应用程序作为 OIDC 应用程序添加到 AWS Cognito。
但是,我无法在 Github 文档的任何地方找到关于端点和数据的适当概述。
以下字段为必填项:
发行者 -> ?
授权端点 => https://github.com/login/oauth/authorize (?)
令牌端点 => https://github.com/login/oauth/access_token (?)
用户信息端点 => https://api.github.com/user (?)
Jwks uri => ?
我在任何地方都找不到 Jwks uri。任何帮助将不胜感激。
似乎没有办法开箱即用。
https://github.com/TimothyJones/github-cognito-openid-wrapper 似乎是实现此功能的一种方式。
如果任何 Cognito 开发人员看到此内容,请添加 Github/Gitlab/Bitbucket 支持。
GitLab 14.7(2022 年 1 月)可能有帮助:
OpenID Connect support for GitLab CI/CD
Connecting GitLab CI/CD to cloud providers using environment variables works fine for many use cases.
However, it doesn’t scale well if you need advanced permissions management or would prefer a signed, short-lived, contextualized connection to your cloud provider.GitLab 12.10 shipped initial support for JWT token-based connection (
CI_JOB_JWT) to enable HashiCorp Vault users to safely retrieve secrets. That implementation was restricted to Vault, while the logic we built JWT upon opened up the possibility to connect to other providers as well.In GitLab 14.7, we are introducing a
CI_JOB_JWT_V2environment variable that can be used to connect to AWS, GCP, Vault, and likely many other cloud services.
Please note that this is an alpha feature and not ready for production use. Your feedback is welcomed in this epic.For AWS specifically, with the new
CI_JOB_JWT_V2variable, you can connect to AWS to retrieve secrets, or to deploy within your account. You can also manage access rights to your cluster using AWS IAM roles.
You can read more on setting up OIDC connection with AWS.The new variable is automatically injected into your pipeline but is not backward compatible with the current
CI_JOB_JWT.
Until GitLab 15.0, theCI_JOB_JWTwill continue to work normally but this will change in a future release. We will notify you about the change in time.
Thesecretsstanza today uses theCI_JOB_JWT_V1variable. If you use thesecretsstanza, you don’t have to make any changes yet.
See Documentation and Issue.