You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -44,6 +44,19 @@ Agents poll Pulumi Cloud every 30 seconds to check for pending deployments and w
If you are running the agent inside a firewall ensure to allow outbound requests to api.pulumi.com. Ensure agents have the cloud provider credentials to be able to deploy in your environments.
{{% /notes %}}
### Leveraging OpenID Authentication
It is possible to use OpenID authentication to fetch Pulumi Pool tokens dynamically instead of configuring a static token for the agents. You must first register the OpenID provider as a trusted OIDC issuer in your Pulumi account, as documented at [OIDC documentation](/docs/pulumi-cloud/oidc/client).
After registering the provider, this other information is required by the agent:
-`organization_name`: your Pulumi Organization name
-`runner_pool_id`: the pool ID that the instance will connect to
-`token_expiration` (optional): the expiration in seconds for the tokens requested by the agent
-`oidc_token_file`: the location of the file where the OIDC token will be recorded
The agent will attempt to read the `oidc_token_file` for a fresh OIDC token and exchange it automatically for a Pulumi token every time the Pulumi token expires.
## Providing Credentials to Agents
There are two methods to provide cloud provider credentials to the agents:
