nsc auth trust-relationships add
Add a new trust relationship by specifying issuer and subject match patterns.
nsc auth trust-relationships add
creates a new trust relationship that allows external systems to authenticate to your workspace using OIDC tokens that match the specified issuer and subject patterns.
Usage
nsc auth trust-relationships add --issuer string --subject-match string
Examples
Google Cloud Platform trust relationship:
$ nsc auth trust-relationships add \
--issuer "https://accounts.google.com" \
--subject-match "projects/123456789/serviceAccounts/my-service@my-project.iam.gserviceaccount.com"
fly.io trust relationship:
$ nsc auth trust-relationships add \
--issuer "https://fly.io/example-org" \
--subject-match "example-org:example-app:example-machine"
rwx trust relationship:
$ nsc auth trust-relationships add \
--issuer "https://cloud.rwx.com/mint" \
--subject-match "org:my-org:vault:deploy-vault"
Using wildcards:
# All service accounts in GCP project
$ nsc auth trust-relationships add \
--issuer "https://accounts.google.com" \
--subject-match "projects/123456789/serviceAccounts/*"
# All fly.io apps in organization
$ nsc auth trust-relationships add \
--issuer "https://fly.io/example-org" \
--subject-match "example-org:app:*"
# All vaults in rwx organization
$ nsc auth trust-relationships add \
--issuer "https://cloud.rwx.com/mint" \
--subject-match "org:my-org:vault:*"
Required Flags
--issuer string
The token issuer URL that identifies the external identity provider. This must be the exact issuer claim (iss
) that appears in the OIDC tokens you want to trust.
Supported issuers:
- Google Cloud Platform:
https://accounts.google.com
- fly.io:
https://fly.io/{org-name}
(replace{org-name}
with your organization) - rwx:
https://cloud.rwx.com/mint
--subject-match string
Subject match pattern that defines which subjects from the issuer are trusted. This pattern is matched against the subject claim (sub
) in the OIDC token.
The pattern supports wildcards (*
) for flexible matching:
Google Cloud Platform patterns:
- Service account:
projects/123456789/serviceAccounts/my-service@my-project.iam.gserviceaccount.com
(exact match) - Multiple service accounts:
projects/123456789/serviceAccounts/*
(all service accounts in project)
fly.io patterns:
- Specific machine:
example-org:example-app:example-machine
(matches specific machine) - All apps in organization:
example-org:app:*
(matches all apps in organization) - Specific app:
example-org:example-app:*
(matches all machines in specific app)
rwx patterns:
- Specific vault:
org:my-org:vault:deploy-vault
(matches specific vault) - All vaults in organization:
org:my-org:vault:*
(matches all vaults in organization)
Related Topics
- nsc auth trust-relationships - Main command overview
- nsc auth trust-relationships list - List existing relationships
- nsc auth trust-relationships remove - Remove relationships
- Workload Federation - Integration guides for cloud providers