Skip to main content
POST
/
api
/
v1
/
service_principals
/
{service_principal_id}
/
trusts
CreateTrust
package main

import(
	"context"
	"github.com/conductorone/conductorone-sdk-go/pkg/models/shared"
	conductoronesdkgo "github.com/conductorone/conductorone-sdk-go"
	"github.com/conductorone/conductorone-sdk-go/pkg/models/operations"
	"log"
)

func main() {
    ctx := context.Background()

    s := conductoronesdkgo.New(
        conductoronesdkgo.WithSecurity(shared.Security{
            BearerAuth: "<YOUR_BEARER_TOKEN_HERE>",
            Oauth: "<YOUR_OAUTH_HERE>",
        }),
    )

    res, err := s.WorkloadFederation.CreateTrust(ctx, operations.C1APIWorkloadFederationV1WorkloadFederationServiceCreateTrustRequest{
        ServicePrincipalID: "<id>",
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.WorkloadFederationServiceCreateTrustResponse != nil {
        // handle response
    }
}
{
  "trust": {
    "allowSourceCidrs": [
      "<string>"
    ],
    "clientId": "<string>",
    "conditionExpression": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "description": "<string>",
    "disabled": true,
    "displayName": "<string>",
    "passthroughClaims": [
      "<string>"
    ],
    "providerId": "<string>",
    "scopedRoleIds": [
      "<string>"
    ],
    "servicePrincipalId": "<string>",
    "updatedAt": "2023-11-07T05:31:56Z"
  }
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Authorization
string
header
required

This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the c1TokenSource.Token() function.

Path Parameters

service_principal_id
string
required

The service principal ID to create the trust for (from URL path).

Body

application/json

The WorkloadFederationServiceCreateTrustRequest message.

allowSourceCidrs
string[] | null

IP allowlist for token exchange requests matching this trust. Accepts IPv4 (e.g. 10.0.0.0/24) or IPv6 (e.g. 2001:db8::/32) CIDRs.

conditionExpression
string

CEL expression evaluated against JWT claims. Must return bool. Compiled and validated before storage.

description
string

A description of what this trust policy matches.

displayName
string

The display name for the trust.

passthroughClaims
string[] | null

JWT claim names from the subject token to copy into the issued C1 token.

providerId
string

The provider this trust references.

scopedRoleIds
string[] | null

Scoped role IDs. Effective permissions = min(SP roles, trust.scoped_role_ids).

Response

200 - application/json

Successful response

The WorkloadFederationServiceCreateTrustResponse message.

trust
Workload Federation Trust · object

WorkloadFederationTrust represents a per-SP trust policy that references a tenant-level provider and defines a CEL condition for claim matching.