elastic / cloudbeat / 18749419413
76%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 229
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 76.214%. Remained the same
18749419413

push

github

web-flow 
Update OIDC audience default to ElasticCloudConnector (#3654)

## Summary

Replace hardcoded Azure OIDC audience value
(`api://AzureADTokenExchange`) with Elastic-specific audience
(`ElasticCloudConnector`) in ARM templates for cloud connectors. This
aligns the configuration with ElasticCloudConnector usage and improves
security by using a more specific audience claim.

## Changes

Updated the `audiences` array in the federated identity credentials
configuration for both single-account and organization-account ARM
templates:

**Before:**
```json
"audiences": [
    "api://AzureADTokenExchange"
]
```

**After:**
```json
"audiences": [
    "ElasticCloudConnector"
]
```

## Files Modified

- `deploy/azure/ARM-for-cloud-connectors-single-account.json`
- `deploy/azure/ARM-for-cloud-connectors-organization-account.json`

## Rationale

The previous value `api://AzureADTokenExchange` is the default Azure
audience for OIDC token exchange. Using a more specific audience value
like `ElasticCloudConnector` provides better security by ensuring tokens
are explicitly intended for Elastic Cloud Connector usage, preventing
potential token misuse across different systems.

<!-- START COPILOT CODING AGENT SUFFIX -->



<details>

<summary>Original prompt</summary>

> Replace every occurrence of the OIDC audience string
"api://AzureADTokenExchange" with "ElasticCloudConnector" in the
repository.
> 
> Files to change (confirmed from code search):
> - deploy/azure/ARM-for-cloud-connectors-single-account.json
>   - Replace the audiences array value:
>     - "api://AzureADTokenExchange" -> "ElasticCloudConnector"
> 
> - deploy/azure/ARM-for-cloud-connectors-organization-account.json
>   - Replace the audiences array value:
>     - "api://AzureADTokenExchange" -> "ElasticCloudConnector"
> 
> Notes:
> - The search may be incomplete. The PR should include these
replacements and any other occurrences found in the repo.
> - Create a new branch named: copilot/update-oidc-audience-d... (continued)

9603 of 12600 relevant lines covered (76.21%)

16.58 hits per line

Jobs
ID Job ID Ran Files Coverage
1 18749419413.1 229
76.21
 GitHub Action Run
Source Files on build 18749419413