Merge pull request #3554 from pulumi/torian/esc-run-azure

Provider OIDC Guides for AWS, GCP, and Azure completed.
pulumi · Nov 3, 2023 · e8d9d57 · e8d9d57
2 parents b4fcd0f + 6ab0308
commit e8d9d57
Show file tree

Hide file tree

Showing 19 changed files with 422 additions and 222 deletions.
diff --git a/themes/default/content/docs/pulumi-cloud/_index.md b/themes/default/content/docs/pulumi-cloud/_index.md
@@ -44,6 +44,7 @@ Explore the following sections to learn more about the features and benefits of
 * [Personal Access Tokens](/docs/pulumi-cloud/accounts/#personal-access-tokens)
 * [Organization and Team Access Tokens](/docs/pulumi-cloud/access-management/organization-access-tokens/)
 * [SAML Integrations](/docs/pulumi-cloud/access-management/saml/)
+* [OIDC Integrations](/docs/pulumi-cloud/oidc/)
 
 ### Teams and collaboration
 

diff --git a/themes/default/content/docs/pulumi-cloud/deployments/oidc/aws.md b/themes/default/content/docs/pulumi-cloud/deployments/oidc/aws.md
diff --git a/themes/default/content/docs/pulumi-cloud/deployments/oidc/azure.md b/themes/default/content/docs/pulumi-cloud/deployments/oidc/azure.md
diff --git a/themes/default/content/docs/pulumi-cloud/deployments/oidc/gcp.md b/themes/default/content/docs/pulumi-cloud/deployments/oidc/gcp.md
diff --git a/themes/default/content/docs/pulumi-cloud/esc/providers/_index.md b/themes/default/content/docs/pulumi-cloud/esc/providers/_index.md
@@ -25,26 +25,4 @@ To learn more about how to set up and use the various providers, please refer to
 | [vault-login](/docs/pulumi-cloud/esc/providers/vault-login/)     | The `vault-login` provider enables you to log in to HashiCorp Vault using OpenID Connect or static credentials.               |
 | [vault-secrets](/docs/pulumi-cloud/esc/providers/vault-secrets/) | The `vault-secrets` provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment.            |
 
-## Setting up OIDC
-
-Pulumi ESC supports OpenID Connect (OIDC) integration with cloud providers. OIDC enables your Environments to exchange a signed, short-lived token issued by the Pulumi Cloud for short-term credentials from your cloud provider. This can eliminate the need for hardcoded cloud provider credentials.
-
-The token contains the standard audience, issuer, and subject claims:
-
-| Claim | Description                                                                                                                                                                                                                                                                                       |
-|-------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `aud` | _(Audience)_ The name of the organization associated with the environment.                                                                                                                                                                                                                        |
-| `iss` | _(Issuer)_ The issuer of the OIDC token: `https://api.pulumi.com/oidc`.                                                                                                                                                                                                                           |
-| `sub` | _(Subject)_ The subject of the OIDC token. Because this value is often used for configuring trust relationships, the subject claim contains information about the associated Environment. The value is composed as follows: `pulumi:environments:org:<organization name>:env:<environment name>`. |
-
-### Configuring trust relationships
-
-As part of the process that exchanges your Environment's OIDC token for cloud provider credentials, the cloud provider must check the OIDC token's claims against the conditions configured in the provider's trust relationship. The configuration of a trust relationship varies depending on the cloud provider, but typically uses at least the Audience, Subject, and Issuer claims. These claims can be used to restrict trust to specific organizations:
-
-* The Issuer claim is typically used to validate that the token is properly signed. The issuer's public signing key is fetched and used to validate the token's signature.
-* The Audience claim contains the name of the organization associated with the Environment. You can use this claim to restrict credentials to a specific organization or organizations.
-* The Subject claim contains a variety of information. You can use this claim to restrict credentials to a specific organization or Environment.
-
-The Subject claims are particularly useful for configuring trust relationships, as they allow you to set very fine-grained conditions for credentials.
-
-For information on how to configure OIDC for the individual cloud providers, please refer to one of the guides above.
+To learn more about configuring OIDC and trust relationships in Pulumi, please refer to the [Pulumi OIDC documentation](/docs/pulumi-cloud/oidc/).