In bug 1172273 I added an rdp feature to generic-worker that allows you to generate an artifact containing confidential RDP connection information, which only the task author should be entitled to read (and taskcluster super admins, of course!). ;) Currently no artifact namespace is carved out for login identity, so I'd like to grant the following to generated temp credentials: queue:create-artifact:<identity>/* When deciding between including the provider or not in the namespace, I figured it was safer to include the provider, so that artifacts couldn't be compromised by using a weaker provider.

whoops, wrong url :)

Commits pushed to master at https://github.com/taskcluster/taskcluster-login https://github.com/taskcluster/taskcluster-login/commit/2c40a2af95acfe40a45c750c28fa8a266058c7fb Bug 1436002 - grant queue:create-artifact:login-identity/<identity>/* to temp credentials https://github.com/taskcluster/taskcluster-login/commit/f7b6def12d3c825ed421d7a862eada52559a7e9b Merge pull request #73 from taskcluster/bug1436002 Bug 1436002 - grant queue:create-artifact:<identity>/* to temp credentials

Commits pushed to master at https://github.com/taskcluster/taskcluster-docs https://github.com/taskcluster/taskcluster-docs/commit/df05b005b4a338e8658178d510c82d0f0dd95fa6 Bug 1436002 - documented artifact namespace `login-identity/<identity>/*` https://github.com/taskcluster/taskcluster-docs/commit/dc4f3204fb23bfdb0fcfa4823c554d9600e52020 Merge pull request #233 from taskcluster/bug1436002 Bug 1436002 - documented artifact namespace <taskcluster-login_identity>/*

This is wrong, in: https://github.com/taskcluster/taskcluster-login/pull/73 you probably wanted to grant: queue:get-artifact:login-identity/${id}/* instead of: queue:create-artifact:login-identity/${id}/* Since the queue:create-artifact:<name> scope is not needed. Workers get credentials to create any artifact for a given taskId, when they claim a task. I would suggest instead granting a role: assume:login-identity:<id> And then creating a parameterized role: login-identity:* -> queue:get-artifact:login-identity/<..>/* That way if we decide to stick login identity into other things that could be done by adding scopes to said role. Imagine each login-identity having it's own index namespace, or other stuff like that. Note: login-identity is not ideal, since it's too long and can contain a lot of different characters. We might invent a custom namespace that can be registered later, for things like hooks, etc.

that parameterized role already exists :)

(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #7) > that parameterized role already exists :) I've updated https://tools.taskcluster.net/auth/roles/login-identity%3A* as follows: -queue:create-artifact:login-identity/<..>/* +queue:get-artifact:login-identity/<..>/* (In reply to Jonas Finnemann Jensen (:jonasfj) from comment #6) > Note: login-identity is not ideal, since it's too long and can contain a lot > of different characters. @Jonas, The expression 'login-identity' is too long for what? Which characters can it contain that are a problem? What are those characters a problem for? > We might invent a custom namespace that can be registered later, for > things like hooks, etc. @Jonas, What would the custom namespace be for? I didn't understand the comment, can you provide a little more detail (maybe an example too)? If you agree, let's close this, and open other bugs if we want further changes. Thanks.

Sorry, that create-artfiact mistake was probably me. The clientId character set is more restrictive than that for scopes, so i don't see an issue here. Also, length isn't an issue for scopes. This *is* the custom namespace we're going to register "later" (actually a few weeks ago) :)

> Also, length isn't an issue for scopes. Length is an issue if we want to stick <login-identity> into hook names, etc... or provisionerId. @pmoore, We've been talking about the idea that: Once you've logged in you would be able to create a "project", so long as you can come up with a unique name. This is somewhat similar, except that you always have a login-identity role. --- I see this is all resolved now: https://github.com/taskcluster/taskcluster-login/blob/8e1099a0485a1f1eb04c3c7e4c62ac30d081d4bc/src/user.js#L35-L38