snctl
. Support for the Console and Terraform will be available soon.provider-name
must be the name of an existing OAuth/OIDC identity provider. The expression
parameter specifies which identities can authenticate using this pool based on their claims. See identity pool filters for more information about the expression syntax.identitypool.yaml
as follows:snctl get identitypool
to check the status of the identity pool.Ready
.snctl edit
or by editing the manifest file identitypool.yaml
and then applying the changes by running the following command:claims
. For development purposes, you can temporarily set the filter to true
to allow all identities with a valid token to authenticate.
Use case | CEL expression |
---|---|
Equality | claims.iss == "google" |
Inclusion | claims.appid in ["app1", "app2"] |
!(claims.appid in ["app1", "app2"]) | |
'admins' in claims.groups | |
!('admins' in claims.groups) | |
Presence check | has(claims.iss) |
!has(claims.iss) | |
Prefix matching | claims.principal.startsWith("user") |
Suffix matching | claims.principal.endsWith("user") |
Use case | Operator precedence | CEL expression |
---|---|---|
Logical NOT | 1 | !(claims.iss == "google") |
Logical AND | 2 | claims.iss == "google" && claims.principal == "user1" |
Logical OR | 3 | claims.iss == "google" || claims.principal == "user1" |
Expression && (Expression || Expression)
. For example:
<broker-admin-service-url>
: The URL of the broker admin service of your StreamNative Cloud cluster.<super-user-api-key>
: The API key of a Service Account with the Super Admin permission.<OIDC-token>
: The OIDC token exchanged from your OAuth/OIDC identity provider to verify.<broker-admin-service-url>
: The URL of the broker admin service of your StreamNative Cloud cluster.<super-user-api-key>
: The API key of a Service Account with the Super Admin permission.<identitypool-name>
: The name of the identity pool to verify.