@@ -12,6 +12,7 @@ const (
1212 EnvUseOIDC = "STACKIT_USE_OIDC"
1313 EnvServiceAccountEmail = "STACKIT_SERVICE_ACCOUNT_EMAIL"
1414 EnvServiceAccountFederatedToken = "STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN" //nolint:gosec // linter false positive
15+ EnvFederatedTokenFile = "STACKIT_FEDERATED_TOKEN_FILE"
1516 EnvGitHubRequestURL = "ACTIONS_ID_TOKEN_REQUEST_URL"
1617 EnvGitHubRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN" //nolint:gosec // linter false positive
1718 EnvAzureOIDCRequestURI = "SYSTEM_OIDCREQUESTURI"
@@ -38,8 +39,8 @@ func OIDCServiceAccountEmail() string {
3839
3940// TokenFunc returns the OIDCTokenFunc to use for Workload Identity Federation.
4041// It checks the following token sources in order: STACKIT_SERVICE_ACCOUNT_FEDERATED_TOKEN,
41- // GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_URL + ACTIONS_ID_TOKEN_REQUEST_TOKEN), and
42- // Azure DevOps (SYSTEM_OIDCREQUESTURI + SYSTEM_ACCESSTOKEN).
42+ // STACKIT_FEDERATED_TOKEN_FILE, GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_URL +
43+ // ACTIONS_ID_TOKEN_REQUEST_TOKEN), and Azure DevOps (SYSTEM_OIDCREQUESTURI + SYSTEM_ACCESSTOKEN).
4344// Returns an error if no source is detected.
4445func OIDCTokenFunc () (oidcadapters.OIDCTokenFunc , error ) {
4546 // static token provided directly via env var
@@ -49,6 +50,11 @@ func OIDCTokenFunc() (oidcadapters.OIDCTokenFunc, error) {
4950 }, nil
5051 }
5152
53+ // token read from filesystem path via env var
54+ if tokenFilePath := os .Getenv (EnvFederatedTokenFile ); tokenFilePath != "" {
55+ return oidcadapters .ReadJWTFromFileSystem (tokenFilePath ), nil
56+ }
57+
5258 // GitHub Actions
5359 if ghURL := os .Getenv (EnvGitHubRequestURL ); ghURL != "" {
5460 if ghToken := os .Getenv (EnvGitHubRequestToken ); ghToken != "" {
@@ -65,10 +71,10 @@ func OIDCTokenFunc() (oidcadapters.OIDCTokenFunc, error) {
6571
6672 return nil , fmt .Errorf (
6773 "%s is enabled but no OIDC token source was detected\n " +
68- "Provide the token via %s, or run in a supported CI environment:\n " +
74+ "Provide the token via %s or %s , or run in a supported CI environment:\n " +
6975 " - GitHub Actions: grant 'id-token: write' permission; %s and %s are set automatically by the runner\n " +
7076 " - Azure DevOps: pass 'SYSTEM_ACCESSTOKEN: $(System.AccessToken)' in your pipeline step" ,
71- EnvUseOIDC , EnvServiceAccountFederatedToken ,
77+ EnvUseOIDC , EnvServiceAccountFederatedToken , EnvFederatedTokenFile ,
7278 EnvGitHubRequestURL , EnvGitHubRequestToken ,
7379 )
7480}
0 commit comments