1. Docs
  2. Reference
  3. REST API Docs
  4. OIDC Issuers

OIDC Issuers

    OpenID Connect (OIDC) issuers provide a way to authenticate with Pulumi Cloud using identity tokens from external providers like GitHub Actions. The OIDC Issuers API allows you to register and manage OIDC issuers for your organization.

    Get Auth Policy

    GET /api/orgs/{orgName}/auth/policies/oidcissuers/{issuerId}

    Returns the authentication policy associated with a specific OIDC issuer registration. Authentication policies define rules for how OIDC tokens from the issuer are validated and what access they grant, including claim mappings and trust conditions.

    Request Parameters

    • orgName string path required
      The organization name
    • issuerId string path required
      The OIDC issuer identifier

    Responses

    200 OK
    Schema: AuthPolicy
    • id string required
      The unique identifier
    • version integer required
      The version number
    • created string optional
      The creation timestamp
    • modified string optional
      The last modification timestamp
    • policies array[AuthPolicyDefinition] required
      List of policies
    • decision string required
      The access decision for matching tokens (e.g. ‘allow’, ‘deny’).
    • tokenType string required
      The type of token this rule applies to (e.g. ‘personal’, ‘org’, ’team’).
    • teamName string optional
      Team name filter. When set, this rule only applies to tokens belonging to this team.
    • userLogin string optional
      User login filter. When set, this rule only applies to tokens belonging to this user.
    • runnerID string optional
      Runner ID filter. When set, this rule only applies to tokens for this deployment runner.
    • roleID string optional
      Role ID filter. When set, this rule only applies to tokens with this role.
    • authorizedPermissions array[string] required
      The set of permissions granted when this rule matches.
    • rules map[string]object required
      Additional rule conditions as key-value pairs.
    Errors: 400 Invalid issuer ID

    List

    GET /api/orgs/{orgName}/oidc/issuers

    Returns all OIDC issuer registrations for an organization. OIDC issuer registrations establish trust relationships with external identity providers (such as AWS, Azure, Google Cloud, or GitHub Actions) to enable token exchange for temporary Pulumi Cloud credentials. This eliminates the need for long-lived access tokens in CI/CD pipelines and deployment automation.

    Request Parameters

    • orgName string path required
      The organization name

    Responses

    200 OK
    Schema: ListOidcIssuersResponse
    • oidcIssuers array[OidcIssuerRegistrationResponse] required
      The list of OIDC issuers
    • id string required
      The unique identifier of the registered OIDC issuer.
    • name string required
      The display name of the OIDC issuer.
    • url string required
      The URL of the OIDC issuer.
    • issuer string required
      The OIDC issuer identifier, typically a URL that uniquely identifies the identity provider.
    • thumbprints array[string] optional
      SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • jwks JSONWebKeySet optional
      The JSON Web Key Set for the OIDC issuer.
    • maxExpiration integer optional
      The maximum token expiration time in seconds.
    • created string optional
      The ISO 8601 timestamp when the OIDC issuer was created.
    • modified string optional
      The ISO 8601 timestamp when the OIDC issuer was last modified.
    • lastUsed string optional
      The ISO 8601 timestamp when the OIDC issuer was last used for token exchange.

    Register OIDC Issuer

    POST /api/orgs/{orgName}/oidc/issuers

    Registers a new OIDC issuer for an organization, establishing a trust relationship with an external identity provider. Once registered, the identity provider can issue signed, short-lived tokens that are exchanged for temporary Pulumi Cloud credentials during deployments. This eliminates the need to store long-lived access tokens. Supported providers include AWS, Azure, Google Cloud, GitHub Actions, and any OIDC-compliant identity provider. The request must include the issuer URL, and the service will fetch the provider’s public signing keys to verify token authenticity.

    Request Parameters

    • orgName string path required
      The organization name

    Request Body

    Schema: OidcIssuerRegistrationRequest
    • name string required
      The display name of the OIDC issuer.
    • url string required
      The URL of the OIDC issuer.
    • thumbprints array[string] optional
      SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • maxExpiration integer optional
      The maximum token expiration time in seconds.
    • jwks JSONWebKeySet optional
      The JSON Web Key Set for the OIDC issuer.
    • keys array[JSONWebKey] required
      The set of JSON Web Keys

    Responses

    200 OK
    Schema: OidcIssuerRegistrationResponse
    • id string required
      The unique identifier of the registered OIDC issuer.
    • name string required
      The display name of the OIDC issuer.
    • url string required
      The URL of the OIDC issuer.
    • issuer string required
      The OIDC issuer identifier, typically a URL that uniquely identifies the identity provider.
    • thumbprints array[string] optional
      SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • jwks JSONWebKeySet optional
      The JSON Web Key Set for the OIDC issuer.
    • keys array[JSONWebKey] required
      The set of JSON Web Keys
    • maxExpiration integer optional
      The maximum token expiration time in seconds.
    • created string optional
      The ISO 8601 timestamp when the OIDC issuer was created.
    • modified string optional
      The ISO 8601 timestamp when the OIDC issuer was last modified.
    • lastUsed string optional
      The ISO 8601 timestamp when the OIDC issuer was last used for token exchange.
    Errors: 400 metadata object store endpoint is not configured

    Get OIDC Issuer

    GET /api/orgs/{orgName}/oidc/issuers/{issuerId}

    Returns the details of a specific OIDC issuer registration, including the issuer URL, audience restrictions, TLS thumbprints, and trust policy configuration. OIDC issuer registrations establish trust relationships between the organization and external identity providers, enabling token exchange for temporary Pulumi Cloud credentials without storing long-lived secrets.

    Request Parameters

    • orgName string path required
      The organization name
    • issuerId string path required
      The OIDC issuer identifier

    Responses

    200 OK
    Schema: OidcIssuerRegistrationResponse
    • id string required
      The unique identifier of the registered OIDC issuer.
    • name string required
      The display name of the OIDC issuer.
    • url string required
      The URL of the OIDC issuer.
    • issuer string required
      The OIDC issuer identifier, typically a URL that uniquely identifies the identity provider.
    • thumbprints array[string] optional
      SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • jwks JSONWebKeySet optional
      The JSON Web Key Set for the OIDC issuer.
    • keys array[JSONWebKey] required
      The set of JSON Web Keys
    • maxExpiration integer optional
      The maximum token expiration time in seconds.
    • created string optional
      The ISO 8601 timestamp when the OIDC issuer was created.
    • modified string optional
      The ISO 8601 timestamp when the OIDC issuer was last modified.
    • lastUsed string optional
      The ISO 8601 timestamp when the OIDC issuer was last used for token exchange.
    Errors: 404 oidc issuer

    Update OIDC Issuer

    PATCH /api/orgs/{orgName}/oidc/issuers/{issuerId}

    Updates an existing OIDC issuer registration for an organization. This can be used to modify the issuer name, audience restrictions, trust policies, or other configuration. The issuer URL itself cannot be changed after creation. The issuer name is required in the update request.

    Request Parameters

    • orgName string path required
      The organization name
    • issuerId string path required
      The OIDC issuer identifier

    Request Body

    Schema: OidcIssuerUpdateRequest
    • name string optional
      The updated display name of the OIDC issuer.
    • thumbprints array[string] optional
      Updated SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • maxExpiration integer optional
      The updated maximum token expiration time in seconds.
    • jwks JSONWebKeySet optional
      The updated JSON Web Key Set for the OIDC issuer.
    • keys array[JSONWebKey] required
      The set of JSON Web Keys

    Responses

    200 OK
    Schema: OidcIssuerRegistrationResponse
    • id string required
      The unique identifier of the registered OIDC issuer.
    • name string required
      The display name of the OIDC issuer.
    • url string required
      The URL of the OIDC issuer.
    • issuer string required
      The OIDC issuer identifier, typically a URL that uniquely identifies the identity provider.
    • thumbprints array[string] optional
      SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • jwks JSONWebKeySet optional
      The JSON Web Key Set for the OIDC issuer.
    • keys array[JSONWebKey] required
      The set of JSON Web Keys
    • maxExpiration integer optional
      The maximum token expiration time in seconds.
    • created string optional
      The ISO 8601 timestamp when the OIDC issuer was created.
    • modified string optional
      The ISO 8601 timestamp when the OIDC issuer was last modified.
    • lastUsed string optional
      The ISO 8601 timestamp when the OIDC issuer was last used for token exchange.
    Errors: 400 the issuer name is required 404 oidc issuer

    Delete OIDC Issuer

    DELETE /api/orgs/{orgName}/oidc/issuers/{issuerId}

    Deletes an OIDC issuer registration from an organization, removing the trust relationship between the organization and the identity provider. After deletion, tokens issued by this provider can no longer be exchanged for temporary Pulumi Cloud credentials. Any deployments or automation relying on this OIDC issuer for authentication will stop working.

    Request Parameters

    • orgName string path required
      The organization name
    • issuerId string path required
      The OIDC issuer identifier

    Responses

    204 No Content
    Errors: 404 oidc issuer

    Regenerate Thumbprints

    POST /api/orgs/{orgName}/oidc/issuers/{issuerId}/regenerate-thumbprints

    Regenerates the TLS certificate thumbprints for an OIDC issuer by re-fetching the issuer’s public keys. This is needed when the identity provider rotates its TLS certificates. Cannot be used if the issuer’s JWKS are statically configured.

    Request Parameters

    • orgName string path required
      The organization name
    • issuerId string path required
      The OIDC issuer identifier

    Responses

    200 OK
    Schema: OidcIssuerRegistrationResponse
    • id string required
      The unique identifier of the registered OIDC issuer.
    • name string required
      The display name of the OIDC issuer.
    • url string required
      The URL of the OIDC issuer.
    • issuer string required
      The OIDC issuer identifier, typically a URL that uniquely identifies the identity provider.
    • thumbprints array[string] optional
      SHA-1 certificate thumbprints used to verify the OIDC issuer’s TLS certificate.
    • jwks JSONWebKeySet optional
      The JSON Web Key Set for the OIDC issuer.
    • keys array[JSONWebKey] required
      The set of JSON Web Keys
    • maxExpiration integer optional
      The maximum token expiration time in seconds.
    • created string optional
      The ISO 8601 timestamp when the OIDC issuer was created.
    • modified string optional
      The ISO 8601 timestamp when the OIDC issuer was last modified.
    • lastUsed string optional
      The ISO 8601 timestamp when the OIDC issuer was last used for token exchange.
    Errors: 400 issuer jwks are statically configured, can't regenerate thumbprints 404 oidc issuer