Scoped roles
Every credential and federation trust can be limited to a subset of the service principal’s roles. The effective permissions are the intersection of:- The roles assigned to the service principal
- The scoped roles on the credential or trust
IP allowlists
Both credentials and federation trusts support IP address restrictions. When configured, only requests from the specified IP ranges are accepted.- Add up to 32 IP address ranges per credential or trust
- Leave empty to allow all IPs
- Supports both IPv4 and IPv6 (enter ranges like
192.168.1.0/24or2001:db8::/32)
IP allowlists work best with self-hosted runners or fixed egress IPs. GitHub-hosted runners use thousands of IP ranges that change frequently, making IP restrictions impractical for them.
Credential expiration
Credentials expire after a set duration:
Expired credentials can’t issue new tokens. Plan credential rotation before expiry. See credential rotation for a zero-downtime rotation procedure.
Credential expiration can’t be extended. Create a new credential with the desired expiration and revoke the old one.
DPoP (Demonstrating Proof-of-Possession)
DPoP (RFC 9449) binds access tokens to a specific cryptographic key. Even if a token is intercepted, it can’t be used without the corresponding private key. Enable DPoP when creating a credential by toggling Require DPoP. When enabled:- The client must include a
DPoPproof header with every token request - Issued tokens are type
DPoPinstead ofBearer - API requests must include both the token and a fresh DPoP proof
CEL conditions (federation)
Federation trusts use CEL (Common Expression Language) expressions to control which tokens are accepted. The expression is evaluated against the JWT claims and must returntrue.
CEL environment
The CEL environment exposes:claims— a map of all decoded JWT claims
contains(), startsWith(), endsWith(), matches(), size().
Example expressions
Writing expressions
- Expressions are limited to 1,024 bytes
- Always validate the
subclaim or an equivalent identifier - Use additional claims for defense-in-depth scoping
System log events
All service principal and workload federation activity is recorded in the C1 system log.Authentication events
Token operations are logged as OCSF Authentication events (class 3002). Theactivity_name corresponds to the OAuth grant type used.
Each authentication event includes:
- Outcome: Success or Failure
- Status detail: Specific failure reason (for example
trust_not_found,issuer_mismatch,invalid_jwt_format,cel_condition_not_met,token_too_old,sp_disabled) - Client IP: Source IP address of the request
- Client ID: The credential or trust client ID used
API activity events
Service principal and workload federation CRUD operations are logged as OCSF API Activity events.
View these events in the system log.