Cloudsmith’s support of OpenID Connect (OIDC) gives you a more secure method for programmatic access to Cloudsmith. 🔐 OIDC allows trusted systems - such as GitHub Actions - to authenticate to Cloudsmith using short-lived JWT tokens, eliminating the need for long-lived tokens in your pipelines.
Today, we’ve added support for the wildcard operator in OIDC token claims.🌟 This gives you more flexibility when configuring OIDC providers, simplifying setup and reducing the number of OIDC configurations.
Wildcard support: You can now use the * operator at the end of OpenID token claims to match any value or pattern within a specific claim.
Improved flexibility: This small change greatly simplifies the management of token claims, especially in complex environments where multiple claim values need to be matched.
Note: Wildcard operators allow for flexibility, but with that flexibility comes risk. Please take caution as you use wildcard operators in token claims to ensure you are not overly permissive. 🚧
Let’s say you need to configure an OIDC provider for a GitHub Action and want it to work with any workflow tag. Without wildcards, you’d have to configure a separate OIDC provider for each possible tag. If you had three possible tags, you would have three OIDC providers with claim configurations that might look something like this:
{
"job_workflow_ref": "MyCompany/promote-action/.github/workflows/promotion_job.yaml@refs/tags/v0",
"repository_owner": "MyCompany"
}{
"job_workflow_ref": "MyCompany/promote-action/.github/workflows/promotion_job.yaml@refs/tags/v1",
"repository_owner": "MyCompany"
}{
"job_workflow_ref": "MyCompany/promote-action/.github/workflows/promotion_job.yaml@refs/tags/v2",
"repository_owner": "MyCompany"
}Using a wildcard, you can create a single OIDC provider with a configuration covering all tags. 💥
Your single OIDC provider would have a claim configuration that looked something like this:
{
"job_workflow_ref": "MyCompany/promote-action/.github/workflows/promotion_job.yaml@refs/tags/.*",
"repository_owner": "MyCompany"
}In this scenario, leveraging the wildcard operator lets you reduce the number of OIDC providers you need to create, streamlining setup and reducing management complexity.
Note that the wildcard must appear at the end of the claim; a wildcard that appears anywhere else in the string will be escaped before matching.
Leaked credentials pose a significant threat in CI/CD workflows. They can potentially lead to unauthorized access, data breaches, and system compromises, ultimately disrupting development pipelines and undermining the integrity of software deployment processes.
OIDC lets you secure build pipelines with Trusted Publishing, which protects against the issues of having long-lived credentials stored in external tools. Learn more in our blog, Zero Trust Pipelines with OIDC, Cloudsmith and GitHub Actions. 💪
OIDC is available to Cloudsmith customers on our Velocity and Ultra plans. Read our documentation to get started today.
As part of our transition to more secure authentication methods, we are beginning the 24-hour brownout for username and password authentication for API requests. 🚧 What this means: From 5 pm EDT September 16th to 5 pm EDT September 17th, API requests using username and password authentication will fail. This brownout period is designed to help…
Cloudsmith has extended its support for Maven by allowing users to upload multiple files (.pom, .jar, .zip, and -sources.jar) to a single Cloudsmith Maven package and cache from upstream sources. Previously, you could upload multiple but specific combinations of files (e.g., .pom + .jar + -sources.jar or .pom + .zip + -sources.jar), but not all at…
The new Cloudsmith command-line interface (CLI) GitHub Action is now available! This action simplifies your CI/CD workflows by automating the Cloudsmith CLI's setup and authentication process. With support for pre-authenticating with OpenID Connect (OIDC), you can securely authenticate without the need to manage API keys. Key benefits Easy instal…
You can now export Cloudsmith logs directly to Azure Blob Storage, in addition to our existing support for Amazon S3. 🥳 Log exports enable you to take control of your data by automating the export of client and audit logs from your Cloudsmith account. Customize the frequency and output format, and we’ll handle the rest, ensuring a seamless and has…
To ensure we provide a performant and reliable experience for all Cloudsmith customers, we will implement a repository size limit for index fetches using the Git interface for Cargo. Git-based index fetches will only show the latest 10,000 Cargo packages uploaded to a given repository. This limit will be effective Friday, August 16th, 2024. 📅 Th…
Great news for Cloudsmith customers who run their own infrastructure on Amazon Web Services (AWS)! Cloudsmith is now available on the AWS Marketplace, making it easier for you to procure Cloudsmith for your development teams. This integration brings several benefits for AWS customers, including: Simplified procurement: AWS Marketplace offers a s…
By submitting this form, you agree to our privacy policy
