What should be put to ‘repoOwners’ in Managed Identity Federated Credentials policy?

  Kiến thức lập trình

I’ve set up Workload identity federation. Basically like this:

var applicationRegistrationDisplayName = 'GitHub Actions Application Deployer.'
var githubOIDCProvider = 'https://token.actions.githubusercontent.com'
var microsoftEntraAudience = 'api://AzureADTokenExchange'
var applicationRegistrationName = 'app-deployer'
resource GithubActionsApplication 'Microsoft.Graph/[email protected]' = {
  uniqueName: applicationRegistrationName
  displayName: applicationRegistrationDisplayName

  resource githubFederatedIdentityCredential '[email protected]' = {
    name: '${GithubActionsApplication.uniqueName}/githubFederatedIdentityCredential'
    audiences: [microsoftEntraAudience]
    description: 'Identity for application to deploy the  root infrastructure.'
    issuer: githubOIDCProvider
    subject: GitHubActionsFederatedIdentitySubject

resource githubActionsServicePrincipal 'Microsoft.Graph/[email protected]' = {
    displayName: applicationRegistrationDisplayName
    appId: GithubActionsApplication.appId

Then I added Managed Identity Federated Credentials from GitHub should be from trusted repository owners Azure BuiltIn Policy definition, since I was I thinking I should restrict allowed repositories across any possible federated identity trying to connect.

I’m however unsure now that what should be put into the allowedRepoOwners array. So, here are the questions in my mind:

  1. If I have a organization like https://github.com/<organizationX>, should I add there https://github.com/<organizationX> or maybe organizationX?
  2. Would this one addition on a e.g. some management on group level be enough to limit all repositories underneath this owner? E.g. repositories in https://github.com/<organizationX>/<RepoA>, https://github.com/<organizationX>/<RepoB>?

It has occurred to me to just try out, but I’m also thinking how to read definitions like this to pull out information like this. Then also that maybe there is chance to improve documentation a bit, but I don’t know where to do that.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website