-
Notifications
You must be signed in to change notification settings - Fork 965
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Google Trusted Publishing docs (#15195)
* Google Trusted Publishing docs * Update docs/user/trusted-publishers/security-model.md Co-authored-by: Facundo Tuesca <[email protected]> * Update docs/user/trusted-publishers/security-model.md Co-authored-by: Facundo Tuesca <[email protected]> * Apply suggestions from code review Co-authored-by: William Woodruff <[email protected]> * Apply suggestions from code review --------- Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: William Woodruff <[email protected]>
- Loading branch information
1 parent
f849aee
commit 656637e
Showing
4 changed files
with
114 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -45,7 +45,41 @@ each. | |
|
||
=== "Google Cloud" | ||
|
||
TODO | ||
For Google Cloud, you **must** provide the email address of the account or | ||
service account used to publish. [You can learn more about Google Cloud | ||
service accounts | ||
here](https://cloud.google.com/iam/docs/service-account-overview). | ||
|
||
For example, if you have created a service account named | ||
"SERVICE_ACCOUNT_NAME" in the project "PROJECT_NAME" which is in use by | ||
the environment where you would like to publish to PyPI from, your service | ||
account email would take the form | ||
`SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com`, and you would do | ||
the following: | ||
|
||
![](/assets/trusted-publishing/google/project-publishing-form.png) | ||
|
||
!!! warning | ||
|
||
Google Cloud also provides [default service | ||
accounts](https://cloud.google.com/iam/docs/service-account-types#default) | ||
for various products: | ||
|
||
* Compute Engine: `[email protected]` | ||
* App Engine: `[email protected]` | ||
|
||
However it is **not** recommended that these be used for publishing, as | ||
they are provided by default to every service when they are created. | ||
|
||
!!! note | ||
|
||
Configuring the subject is optional. The subject is the numeric ID that | ||
represents the principal making the request. While not required, providing the | ||
subject further restricts the identity which is used for publishing, ensuring | ||
that only a specific instance of a service account can publish, not any service | ||
account with the configured email. See | ||
<https://cloud.google.com/docs/authentication/token-types#id-contents> | ||
for more details | ||
|
||
=== "ActiveState" | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters