File: README.md

package info (click to toggle)
rust-ambient-id 0.0.7-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 228 kB
  • sloc: makefile: 2
file content (87 lines) | stat: -rw-r--r-- 3,145 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# ambient-id

[![Crates.io Version](https://img.shields.io/crates/v/ambient-id)](https://crates.io/crates/ambient-id)

A library for accessing ambient OIDC credentials in a variety of environments.

This crate serves the same purpose as Python's [id] library.

## Supported environments

`ambient-id` currently supports ambient OIDC credential detection in the
following environments:

* GitHub Actions

  - GitHub Actions requires the `id-token: write` permission to be set
    at the job or workflow level. In general, users should set this at the
    job level to limit the scope of the permission.

    For additional information on OpenID Connect in GitHub Actions, see the
    [GitHub documentation].

* GitLab CI

  - On GitLab, this crate looks for an `<AUD>_ID_TOKEN` environment variable,
    where `<AUD>` is the audience string with non-alphanumeric characters
    replaced by underscores and converted to uppercase. For example, if the
    audience is `sigstore`, the crate will look for a `SIGSTORE_ID_TOKEN`
    environment variable.

    For additional information on OpenID Connect and `<AUD>_ID_TOKEN`
    environment variables, see the [GitLab documentation].

* BuildKite

  - On BuildKite, this crate invokes
    `buildkite-agent oidc request-token --audience <AUD>` to obtain the token.

    If you're using BuildKite's [Docker plugin], you'll need to
    propagate the environment and mount the BuildKite agent binary into
    the container for this to work correctly.

    Specifically, you'll need `propagate-environment: true` and
    `mount-buildkite-agent: true` set in your plugin configuration.

    For additional information on OpenID Connect in BuildKite, see the
    [BuildKite documentation].

## Development

To run tests:

```sh
RUST_TEST_THREADS=1 cargo test
```

You **must** pass `RUST_TEST_THREADS=1` to ensure tests are run in a single
thread, as this crate's tests manipulate environment variables and are not
thread-safe.

## License

ambient-id is licensed under either of

* Apache License, Version 2.0, ([LICENSE-APACHE] or https://www.apache.org/licenses/LICENSE-2.0)
* MIT license ([LICENSE-MIT] or https://opensource.org/licenses/MIT)

at your option.

Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in ambient-id by you, as defined in the Apache-2.0
license, shall be dually licensed as above, without any additional terms or
conditions.

<div align="center">
  <a target="_blank" href="https://astral.sh" style="background:none">
    <img src="https://raw.githubusercontent.com/astral-sh/uv/main/assets/svg/Astral.svg" alt="Made by Astral">
  </a>
</div>

[id]: https://pypi.org/project/id/
[GitHub documentation]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
[GitLab documentation]: https://docs.gitlab.com/ci/secrets/id_token_authentication/
[Docker plugin]: https://github.com/buildkite-plugins/docker-buildkite-plugin
[BuildKite documentation]: https://buildkite.com/docs/pipelines/security/oidc
[LICENSE-APACHE]: ./LICENSE-APACHE
[LICENSE-MIT]: ./LICENSE-MIT