Context

When configuring GCP Workload Identity Federation (WIF) for Spacelift integration, users may wonder if they need to specify attribute conditions in the Workload Identity Pool configuration to restrict access.

Answer

No, setting attribute conditions in the Workload Identity Pool configuration is optional. The allowed audiences specification already provides sufficient access restriction, as it ensures that only tokens from your specific Spacelift account will be valid.

If you want to implement additional restrictions, you can optionally add attribute conditions using Google's Common Expression Language (CEL). For more information about implementing conditions, refer to the following resources:

• GCP Workload Identity Federation Conditions documentation

• Google's Common Expression Language (CEL) specification