Trusted publishing: support for Google Cloud service accounts · Issue #13551 · pypi/warehouse (original) (raw)

Support for these would allow PyPI users with Google Cloud-based publishing workflows to benefit from trusted publishing.

An example claim set from a Google Cloud service account, lightly anonymized:

{ "aud": "{SOME-AUDIENCE}", "azp": "{SOME-AZP}", "email": "{PROJECT-NUMBER}-compute@developer.gserviceaccount.com", "email_verified": true, "exp": 1682967007, "google": { "compute_engine": { "instance_creation_timestamp": 1674546966, "instance_id": "{INSTANCE-ID}", "instance_name": "dev", "project_id": "{PROJECT-ID}", "project_number": {PROJECT-NUMBER}, "zone": "us-central1-a" } }, "iat": 1682963407, "iss": "https://accounts.google.com", "sub": "{SOME-AZP}" }

I've tried to keep the substitution names consistent above, to show where field values are duplicated.

Based on that claim set, it looks like the relevant uniquely identifying fields are:

  1. aud (which should be pypi, similar to GitHub-issued JWTs)
  2. azp: no idea what this is
  3. google.project_id: presumably configured by a user
  4. google.project_number: presumably a unique ID that prevents resurrection of google.project_id
  5. email: presumably derivable consistently from google.project_number

So, my first educated guess is that we'll want to allow users to configure (3) and (4). Does that sound right to you @di?