elastic / cloudbeat / 18749442001
76%
main: 76%

LAST BUILD BRANCH: renovate/main-github.com-google-gnostic-models-0.x
DEFAULT BRANCH: main
Ran
Jobs 1
Files 229
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 76.19%. Remained the same
18749442001

push

github

web-flow 
[9.2](backport #3654) Update OIDC audience default to ElasticCloudConnector (#3659)

## Summary

Replace hardcoded Azure OIDC audience value
(`api://AzureADTokenExchange`) with Elastic-specific audience
(`ElasticCloudConnector`) in ARM templates for cloud connectors. This
aligns the configuration with ElasticCloudConnector usage and improves
security by using a more specific audience claim.

## Changes

Updated the `audiences` array in the federated identity credentials
configuration for both single-account and organization-account ARM
templates:

**Before:**
```json
"audiences": [
    "api://AzureADTokenExchange"
]
```

**After:**
```json
"audiences": [
    "ElasticCloudConnector"
]
```

## Files Modified

- `deploy/azure/ARM-for-cloud-connectors-single-account.json`
- `deploy/azure/ARM-for-cloud-connectors-organization-account.json`

## Rationale

The previous value `api://AzureADTokenExchange` is the default Azure
audience for OIDC token exchange. Using a more specific audience value
like `ElasticCloudConnector` provides better security by ensuring tokens
are explicitly intended for Elastic Cloud Connector usage, preventing
potential token misuse across different systems.





<details>

<summary>Original prompt</summary>

> Replace every occurrence of the OIDC audience string
"api://AzureADTokenExchange" with "ElasticCloudConnector" in the
repository.
> 
> Files to change (confirmed from code search):
> - deploy/azure/ARM-for-cloud-connectors-single-account.json
>   - Replace the audiences array value:
>     - "api://AzureADTokenExchange" -> "ElasticCloudConnector"
> 
> - deploy/azure/ARM-for-cloud-connectors-organization-account.json
>   - Replace the audiences array value:
>     - "api://AzureADTokenExchange" -> "ElasticCloudConnector"
> 
> Notes:
> - The search may be incomplete. The PR should include these
replacements and any other occurrences found in the repo.
> - Create a new branch named: copilot/update-oidc-audience-default
> - Commit me... (continued)

9600 of 12600 relevant lines covered (76.19%)

16.6 hits per line

Uncovered Existing Lines

Lines Coverage File
2
83.06
 0.0% internal/resources/providers/gcplib/inventory/provider.go
Jobs
ID Job ID Ran Files Coverage
1 18749442001.1 229
76.19
 GitHub Action Run
Source Files on build 18749442001