OIDC with Namespace

See the general OIDC documentation before diving into the Namespace specific setup.

Namespace Specific Setup

  • Configure Namespace in your RWX Vault
  • Configure RWX as a Trusted Relationship in Namespace
  • Install and Authenticate with Namespace in an RWX task

Configure Namespace in RWX

RWX Vaults control which RWX runs can access which sensitive values. If you're building container images on feature branches, you can configure Namespace in the default vault. If you're building on a protected branch like main, then you may want to set up Namespace in a locked vault.

See the docs on vaults for more details on how to configure your vaults.

Conventionally, choose namespace for your token name. Set the audience to federation.namespaceapis.com

Configure RWX in Namespace

Interacting with Namespace resources via OIDC requires that you establish a trust relationship between Namespace and your RWX vault.

This is done as a one-time setup using Namespace's CLI providing https://cloud.rwx.com/mint as the issuer and a subject-match that represents the vault that stores your OIDC tokens.

You can find the OIDC subject of a vault by visiting the vault's OIDC tab. It takes the form of: org:{org-slug}:vault:{vault-name}.

Establish Trust Relationship

nsc auth trust-relationships add \
  --issuer "https://cloud.rwx.com/mint" \
  --subject-match "org:my-org:vault:my-vault"

Confirm Trust Relationship Established

nsc auth trust-relationships list

You should see your RWX trust relationship with the appropriate subject pattern.

See Namespace's docs on Federation with RWX for more details.

Install and Authenticate with Namespace in an RWX task

tasks:
  - key: namespace-cli
    call: namespace/install-cli 1.0.0

And you can now define a task which uses the CLI and namespace/login-hook package to authenticate via OIDC.

tasks:
  - key: namespace-cli
    call: namespace/install-cli 1.0.0

  - key: namespace-login
    call: namespace/login-hook 1.0.0
    with:
      workspace-id: my-namespace-workspace-id

  - key: build-image
    use: [namespace-cli, namespace-login]
    run: nsc build --name foo/bar .
    env:
      NAMESPACE_OIDC_TOKEN:
        value: ${{ vaults.your-vault.oidc.your-token-name-usually-namespace }}
        cache-key: excluded

cache-key: excluded will ensure that changes to the namespace token will not affect whether the build-image task can be a cache hit. For more details, see the docs on environment variables.

Support

That's it! If you have any questions, feel free to reach out to RWX support or Namespace support.