Service account impersonation

[Ethan Lebioda]

I see in the docs I can provide an attribute key and value mapping for a service account impersonation member, but am wondering if I can provide multiple attributes to the principal set in the member association?

[afonsob]

Hello ~ Usually the metadata entries `key:value` are assigned on resources such GCE and the service accounts, with the right permissions, can acess this information.   
To get a better understanding, can you provide more context and what you are trying to achieve? That will help me to understand the situation that you are facing and pointing you to the right direction.

[Ethan Lebioda]

I am setting up OIDC authentication for our github actions, and would like for an impersonation of a service account if the actions is from our github organization AND from a specific ref. I have it working for our organization by providing a single attribute and value in the IAM member binding, but I can't seem to figure out how to get the ref in the principal set as well......

For example: principalSet::iam<blah_blah>/attribute.repository_owner/<owner>/attribute.ref/ref/head/prod

Is this doable?

Update: Maybe I should be using an attribute condition to accomplish this?

[Lluis Munoz Ladron de Guevara]

Hi,

Could you please provide more details about what your goal is and what you tried so far? For example documentation you followed, steps to reproduce the issue or errors you observed. 

I'm not familiar with Github actions but I found this repository in Google Open source which configures the Google Cloud SDK in the GitHub Actions environment. It also provides different options for Authentication. Please let me know if it helps.