logo
Sign in

nsc auth trust-relationships add

Add a new trust relationship by specifying issuer and subject match patterns.

nsc auth trust-relationships add creates a new trust relationship that allows external systems to authenticate to your workspace using OIDC tokens that match the specified issuer and subject patterns.

Usage

nsc auth trust-relationships add --issuer string --subject-match string

Examples

Google Cloud Platform trust relationship:

$ nsc auth trust-relationships add \
  --issuer "https://accounts.google.com" \
  --subject-match "projects/123456789/serviceAccounts/my-service@my-project.iam.gserviceaccount.com"

fly.io trust relationship:

$ nsc auth trust-relationships add \
  --issuer "https://fly.io/example-org" \
  --subject-match "example-org:example-app:example-machine"

rwx trust relationship:

$ nsc auth trust-relationships add \
  --issuer "https://cloud.rwx.com/mint" \
  --subject-match "org:my-org:vault:deploy-vault"

Using wildcards:

# All service accounts in GCP project
$ nsc auth trust-relationships add \
  --issuer "https://accounts.google.com" \
  --subject-match "projects/123456789/serviceAccounts/*"
 
# All fly.io apps in organization
$ nsc auth trust-relationships add \
  --issuer "https://fly.io/example-org" \
  --subject-match "example-org:app:*"
 
# All vaults in rwx organization
$ nsc auth trust-relationships add \
  --issuer "https://cloud.rwx.com/mint" \
  --subject-match "org:my-org:vault:*"

Required Flags

--issuer string

The token issuer URL that identifies the external identity provider. This must be the exact issuer claim (iss) that appears in the OIDC tokens you want to trust.

Supported issuers:

  • Google Cloud Platform: https://accounts.google.com
  • fly.io: https://fly.io/{org-name} (replace {org-name} with your organization)
  • rwx: https://cloud.rwx.com/mint

--subject-match string

Subject match pattern that defines which subjects from the issuer are trusted. This pattern is matched against the subject claim (sub) in the OIDC token.

The pattern supports wildcards (*) for flexible matching:

Google Cloud Platform patterns:

  • Service account: projects/123456789/serviceAccounts/my-service@my-project.iam.gserviceaccount.com (exact match)
  • Multiple service accounts: projects/123456789/serviceAccounts/* (all service accounts in project)

fly.io patterns:

  • Specific machine: example-org:example-app:example-machine (matches specific machine)
  • All apps in organization: example-org:app:* (matches all apps in organization)
  • Specific app: example-org:example-app:* (matches all machines in specific app)

rwx patterns:

  • Specific vault: org:my-org:vault:deploy-vault (matches specific vault)
  • All vaults in organization: org:my-org:vault:* (matches all vaults in organization)
Last updated