\u0625\u0630\u0627 \u0642\u0645\u062a \u0628\u062a\u062f\u0642\u064a\u0642 \u0645\u062e\u0627\u0632\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0645\u0639\u0638\u0645 \u0645\u0646\u0635\u0627\u062a CI\/CD \u0627\u0644\u064a\u0648\u0645\u060c \u0633\u062a\u062c\u062f \u0645\u0642\u0628\u0631\u0629 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631: \u0645\u0641\u0627\u062a\u064a\u062d \u0648\u0635\u0648\u0644 AWS \u0623\u064f\u0646\u0634\u0626\u062a \u0645\u0646\u0630 \u0633\u0646\u0648\u0627\u062a\u060c \u0648\u0645\u0641\u0627\u062a\u064a\u062d JSON \u0644\u062d\u0633\u0627\u0628\u0627\u062a \u062e\u062f\u0645\u0629 GCP \u0645\u0634\u062a\u0631\u0643\u0629 \u0639\u0628\u0631 \u0639\u0634\u0631\u0627\u062a \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628\u060c \u0648 GitHub Personal Access Tokens \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0648\u0627\u0633\u0639\u0629\u060c \u0648\u0643\u0644\u0645\u0627\u062a \u0645\u0631\u0648\u0631 \u0642\u0648\u0627\u0639\u062f \u0628\u064a\u0627\u0646\u0627\u062a \u0644\u0645 \u064a\u062a\u0645 \u062a\u062f\u0648\u064a\u0631\u0647\u0627 \u0623\u0628\u062f\u0627\u064b. \u0647\u0630\u0647 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0647\u064a \u0623\u0643\u062b\u0631 \u0646\u0627\u0642\u0644\u0627\u062a \u0627\u0644\u0647\u062c\u0648\u0645 \u0634\u064a\u0648\u0639\u0627\u064b \u0641\u064a \u0627\u062e\u062a\u0631\u0627\u0642\u0627\u062a CI\/CD.<\/p>\n
\u0627\u0644\u0633\u0628\u0628 \u0648\u0627\u0636\u062d \u0648\u0645\u0628\u0627\u0634\u0631. \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0647\u064a \u0645\u0641\u062a\u0627\u062d \u0631\u0626\u064a\u0633\u064a. \u0628\u0645\u062c\u0631\u062f \u0623\u0646 \u064a\u062d\u0635\u0644 \u0639\u0644\u064a\u0647\u0627 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u2014 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0633\u062c\u0644 \u0645\u0633\u0631\u0651\u0628\u060c \u0623\u0648 \u062a\u0628\u0639\u064a\u0629 \u0645\u062e\u062a\u0631\u0642\u0629\u060c \u0623\u0648 \u0645\u062e\u0632\u0646 \u0623\u0633\u0631\u0627\u0631 \u062e\u0627\u0637\u0626 \u0627\u0644\u062a\u0643\u0648\u064a\u0646\u060c \u0623\u0648 \u0647\u062c\u0648\u0645 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0639\u0644\u0649 \u0645\u0646\u0635\u0629 CI \u0646\u0641\u0633\u0647\u0627 \u2014 \u064a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0645\u0633\u062a\u0645\u0631\u060c \u0648\u063a\u0627\u0644\u0628\u0627\u064b \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0641\u0631\u0637\u0629\u060c \u0625\u0644\u0649 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0644\u0644\u0625\u0646\u062a\u0627\u062c. \u0644\u0627 \u064a\u0648\u062c\u062f \u0639\u062f\u0627\u062f \u0627\u0646\u062a\u0647\u0627\u0621 \u0635\u0644\u0627\u062d\u064a\u0629 \u064a\u0639\u0645\u0644. \u0644\u0627 \u064a\u0648\u062c\u062f \u0625\u0644\u063a\u0627\u0621 \u062a\u0644\u0642\u0627\u0626\u064a. \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0647\u0630\u0647 \u0645\u0646 \u0623\u064a \u0639\u0646\u0648\u0627\u0646 IP\u060c \u0648\u0623\u064a \u0633\u064a\u0627\u0642\u060c \u0637\u0627\u0644\u0645\u0627 \u0644\u0645 \u064a\u0644\u0627\u062d\u0638 \u0641\u0631\u064a\u0642 \u0627\u0644\u062f\u0641\u0627\u0639 \u0630\u0644\u0643.<\/p>\n
\u064a\u063a\u064a\u0651\u0631 Workload Identity Federation \u0627\u0644\u0645\u0639\u0627\u062f\u0644\u0629 \u0628\u0627\u0644\u0643\u0627\u0645\u0644. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u062d\u0642\u0646 \u0623\u0633\u0631\u0627\u0631 \u062b\u0627\u0628\u062a\u0629 \u0641\u064a \u062a\u0634\u063a\u064a\u0644\u0627\u062a \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628\u060c \u062a\u0635\u0628\u062d \u0645\u0646\u0635\u0629 CI \u0646\u0641\u0633\u0647\u0627 \u0645\u0632\u0648\u062f\u0627\u064b \u0644\u0644\u0647\u0648\u064a\u0629. \u064a\u062a\u0644\u0642\u0649 \u0643\u0644 \u062a\u0634\u063a\u064a\u0644 \u0623\u0646\u0628\u0648\u0628 \u0631\u0645\u0632\u0627\u064b \u0645\u0645\u064a\u0632\u0627\u064b \u0642\u0635\u064a\u0631 \u0627\u0644\u0639\u0645\u0631 \u0648\u0645\u0648\u0642\u0651\u0639\u0627\u064b \u062a\u0634\u0641\u064a\u0631\u064a\u0627\u064b \u064a\u062b\u0628\u062a \u0645\u0627<\/em> \u0627\u0644\u0630\u064a \u064a\u0639\u0645\u0644 (\u0623\u064a \u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0648\u0623\u064a \u0641\u0631\u0639\u060c \u0648\u0623\u064a \u0633\u064a\u0631 \u0639\u0645\u0644\u060c \u0648\u0623\u064a \u0628\u064a\u0626\u0629). \u064a\u062a\u062d\u0642\u0642 \u0645\u0632\u0648\u062f\u0648 \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0645\u0646 \u0635\u062d\u0629 \u0647\u0630\u0627 \u0627\u0644\u0631\u0645\u0632 \u0648\u064a\u0635\u062f\u0631\u0648\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0624\u0642\u062a\u0629 \u0645\u062d\u062f\u062f\u0629 \u0628\u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629 \u0628\u0627\u0644\u0636\u0628\u0637 \u2014 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u062a\u0647\u0627 \u0641\u064a \u062f\u0642\u0627\u0626\u0642\u060c \u0648\u0644\u064a\u0633 \u0623\u0634\u0647\u0631.<\/p>\n \u064a\u062a\u0646\u0627\u0648\u0644 \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0627\u0644\u0645\u0634\u0643\u0644\u0629 \u0628\u0627\u0644\u062a\u0641\u0635\u064a\u0644\u060c \u0648\u064a\u0634\u0631\u062d \u0643\u064a\u0641 \u064a\u0639\u0645\u0644 Workload Identity Federation \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644\u060c \u0648\u064a\u0642\u062f\u0645 \u0623\u0645\u062b\u0644\u0629 \u0639\u0645\u0644\u064a\u0629 \u0643\u0627\u0645\u0644\u0629 \u0644\u0640 GitHub Actions \u0648 GitLab CI \u0639\u0628\u0631 AWS \u0648 GCP \u0648 Azure\u060c \u0648\u064a\u063a\u0637\u064a \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0645\u062a\u0642\u062f\u0645\u0629\u060c \u0648\u064a\u062a\u0636\u0645\u0646 \u062f\u0644\u064a\u0644 \u062a\u0631\u062d\u064a\u0644 \u0639\u0645\u0644\u064a \u0644\u0644\u0641\u0631\u0642 \u0627\u0644\u0645\u0633\u062a\u0639\u062f\u0629 \u0644\u0644\u062a\u062e\u0644\u0635 \u0645\u0646 \u0623\u0633\u0631\u0627\u0631\u0647\u0627 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631.<\/p>\n \u0642\u0628\u0644 \u0627\u0644\u062e\u0648\u0636 \u0641\u064a \u0627\u0644\u062d\u0644\u060c \u0645\u0646 \u0627\u0644\u0645\u0641\u064a\u062f \u0641\u0647\u0645 \u0633\u0628\u0628 \u062e\u0637\u0648\u0631\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0641\u064a \u0633\u064a\u0627\u0642\u0627\u062a CI\/CD \u062a\u062d\u062f\u064a\u062f\u0627\u064b \u2014 \u0648\u0644\u064a\u0633 \u0628\u0634\u0643\u0644 \u0639\u0627\u0645 \u0641\u0642\u0637.<\/p>\n \u0645\u0641\u062a\u0627\u062d \u0648\u0635\u0648\u0644 AWS IAM\u060c \u0628\u0645\u062c\u0631\u062f \u0625\u0646\u0634\u0627\u0626\u0647\u060c \u064a\u0638\u0644 \u0635\u0627\u0644\u062d\u0627\u064b \u0625\u0644\u0649 \u0627\u0644\u0623\u0628\u062f \u0645\u0627 \u0644\u0645 \u064a\u062a\u0645 \u0625\u0644\u063a\u0627\u0624\u0647 \u0635\u0631\u0627\u062d\u0629\u064b. \u0645\u0641\u062a\u0627\u062d JSON \u0644\u062d\u0633\u0627\u0628 \u062e\u062f\u0645\u0629 GCP \u0644\u064a\u0633 \u0644\u0647 \u062a\u0627\u0631\u064a\u062e \u0627\u0646\u062a\u0647\u0627\u0621 \u0635\u0644\u0627\u062d\u064a\u0629. \u064a\u0645\u0643\u0646 \u062a\u0639\u064a\u064a\u0646 GitHub PAT \u0628\u062d\u064a\u062b \u0644\u0627 \u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u062a\u0647 \u0623\u0628\u062f\u0627\u064b. \u0641\u064a \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0629 \u0627\u0644\u0639\u0645\u0644\u064a\u0629\u060c \u062a\u0646\u0634\u0626 \u0645\u0639\u0638\u0645 \u0627\u0644\u0641\u0631\u0642 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0647\u0630\u0647 \u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0623\u0648\u0644\u064a \u0648\u0644\u0627 \u062a\u0644\u0645\u0633\u0647\u0627 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649. \u0645\u062a\u0648\u0633\u0637 \u0639\u0645\u0631 \u0627\u0644\u0633\u0631 \u0641\u064a CI\/CD \u0641\u064a \u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u064a\u064f\u0642\u0627\u0633 \u0628\u0627\u0644\u0633\u0646\u0648\u0627\u062a.<\/p>\n \u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u062d\u062a\u0649 \u0644\u0648 \u062a\u0645 \u062a\u0633\u0631\u064a\u0628 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0628\u0644 \u0633\u062a\u0629 \u0623\u0634\u0647\u0631\u060c \u0641\u0625\u0646\u0647\u0627 \u0644\u0627 \u062a\u0632\u0627\u0644 \u0635\u0627\u0644\u062d\u0629 \u0627\u0644\u064a\u0648\u0645. \u064a\u0639\u0631\u0641 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0647\u0630\u0627 \u0648\u064a\u0641\u062d\u0635\u0648\u0646 \u0628\u0634\u0643\u0644 \u0631\u0648\u062a\u064a\u0646\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0627\u0644\u0639\u0627\u0645\u0629 \u0648\u0635\u0648\u0631 Docker \u0648\u0633\u062c\u0644\u0627\u062a CI \u0628\u062d\u062b\u0627\u064b \u0639\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0642\u062f \u062a\u0643\u0648\u0646 \u0642\u062f \u062a\u0639\u0631\u0636\u062a \u0641\u064a \u0623\u064a \u0648\u0642\u062a \u0645\u0646 \u0627\u0644\u062a\u0627\u0631\u064a\u062e.<\/p>\n \u062a\u0645\u064a\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f CI\/CD \u0625\u0644\u0649 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0630\u0627\u062a \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0641\u0631\u0637\u0629 \u0644\u0623\u0646\u0647\u0627 \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0623\u062f\u0627\u0621 \u0645\u0647\u0627\u0645 \u0645\u062a\u0646\u0648\u0639\u0629: \u0628\u0646\u0627\u0621 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\u060c \u0648\u0627\u0644\u062f\u0641\u0639 \u0625\u0644\u0649 \u0627\u0644\u0633\u062c\u0644\u0627\u062a\u060c \u0648\u0646\u0634\u0631 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629\u060c \u0648\u062a\u0634\u063a\u064a\u0644 \u062a\u0631\u062d\u064a\u0644\u0627\u062a \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\u060c \u0648\u0625\u0628\u0637\u0627\u0644 \u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0645\u0624\u0642\u062a. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0625\u0646\u0634\u0627\u0621 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062d\u062f\u0648\u062f\u0629 \u0627\u0644\u0646\u0637\u0627\u0642 \u0644\u0643\u0644 \u0645\u0647\u0645\u0629\u060c \u062a\u0646\u0634\u0626 \u0627\u0644\u0641\u0631\u0642 \u0639\u0627\u062f\u0629\u064b \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0648\u064a\u0629 \u0648\u0627\u062d\u062f\u0629 \u0648\u062a\u0639\u064a\u062f \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u0627 \u0641\u064a \u0643\u0644 \u0645\u0643\u0627\u0646. \u064a\u0645\u0643\u0646 \u0644\u0645\u0641\u062a\u0627\u062d \u0648\u0627\u062d\u062f \u0645\u0633\u0631\u0651\u0628 \u0623\u0646 \u064a\u0645\u0646\u062d \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0642\u0648\u0627\u0639\u062f \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0648\u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0627\u0644\u0633\u062d\u0627\u0628\u064a\u0629 \u0648\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0646\u0634\u0631 \u0641\u064a \u0648\u0642\u062a \u0648\u0627\u062d\u062f.<\/p>\n \u0639\u0646\u062f\u0645\u0627 \u064a\u064f\u0633\u062a\u062e\u062f\u0645 \u0646\u0641\u0633 \u0645\u0641\u062a\u0627\u062d \u062d\u0633\u0627\u0628 \u0627\u0644\u062e\u062f\u0645\u0629 \u0639\u0628\u0631 50 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u064b \u0648200 \u0623\u0646\u0628\u0648\u0628 \u0648\u062b\u0644\u0627\u062b \u0628\u064a\u0626\u0627\u062a\u060c \u064a\u0635\u0628\u062d \u0645\u0646 \u0634\u0628\u0647 \u0627\u0644\u0645\u0633\u062a\u062d\u064a\u0644 \u0627\u0644\u0625\u062c\u0627\u0628\u0629 \u0639\u0644\u0649 \u0623\u0633\u0626\u0644\u0629 \u0627\u0644\u0623\u0645\u0627\u0646 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629:<\/p>\n \u0644\u0627 \u062a\u0648\u0641\u0631 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0623\u064a \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0633\u064a\u0627\u0642\u064a\u0629 \u062d\u0648\u0644 \u0645\u0646<\/em> \u0623\u0648 \u0645\u0627<\/em> \u0627\u0644\u0630\u064a \u064a\u0633\u062a\u062e\u062f\u0645\u0647\u0627. \u0643\u0644 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u064a\u0628\u062f\u0648 \u0645\u062a\u0637\u0627\u0628\u0642\u0627\u064b \u0641\u064a \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u062a\u062f\u0642\u064a\u0642.<\/p>\n \u062a\u062e\u0632\u0646 \u0645\u0646\u0635\u0627\u062a CI \u0645\u062b\u0644 GitHub Actions \u0648 GitLab CI \u0648 Jenkins \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u062e\u0632\u0627\u0626\u0646\u0647\u0627 \u0627\u0644\u062e\u0627\u0635\u0629. \u0647\u0630\u0647 \u0623\u0647\u062f\u0627\u0641 \u062b\u0645\u064a\u0646\u0629. \u0627\u062e\u062a\u0631\u0627\u0642 \u0648\u0627\u062d\u062f \u0644\u0645\u062e\u0632\u0646 \u0623\u0633\u0631\u0627\u0631 \u0645\u0646\u0635\u0629 CI \u064a\u0643\u0634\u0641 \u0643\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0644\u0643\u0644 \u0645\u0634\u0631\u0648\u0639. \u0627\u062e\u062a\u0631\u0627\u0642 CircleCI \u0641\u064a \u064a\u0646\u0627\u064a\u0631 2023 \u0647\u0648 \u0645\u062b\u0627\u0644 \u0646\u0645\u0648\u0630\u062c\u064a: \u0627\u062e\u062a\u0631\u0642 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u0648\u0646 \u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0644\u0640 CircleCI \u0648\u0627\u0633\u062a\u062e\u0631\u062c\u0648\u0627 \u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0639\u0645\u0644\u0627\u0621\u060c \u0645\u0645\u0627 \u0623\u062c\u0628\u0631 \u0643\u0644 \u0639\u0645\u064a\u0644 CircleCI \u0639\u0644\u0649 \u062a\u062f\u0648\u064a\u0631 \u0643\u0644 \u0633\u0631 \u0645\u062e\u0632\u0646 \u0641\u064a \u0627\u0644\u0645\u0646\u0635\u0629.<\/p>\n \u064a\u062a\u0643\u0631\u0631 \u0627\u0644\u0646\u0645\u0637 \u0639\u0628\u0631 \u0627\u0644\u0635\u0646\u0627\u0639\u0629:<\/p>\n \u0641\u064a \u0643\u0644 \u062d\u0627\u0644\u0629\u060c \u0643\u0627\u0646 \u0627\u0644\u0633\u0628\u0628 \u0627\u0644\u062c\u0630\u0631\u064a \u0648\u0627\u062d\u062f\u0627\u064b: \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0627\u0644\u0645\u062e\u0632\u0646\u0629 \u0641\u064a \u0628\u064a\u0626\u0627\u062a CI \u0648\u0641\u0631\u062a \u0648\u0635\u0648\u0644\u0627\u064b \u0645\u0633\u062a\u0645\u0631\u0627\u064b \u0648\u0645\u0641\u0631\u0637 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0627\u0633\u062a\u063a\u0644\u0627\u0644\u0647 \u0644\u0641\u062a\u0631\u0629 \u0637\u0648\u064a\u0644\u0629 \u0628\u0639\u062f \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0627\u0644\u0623\u0648\u0644\u064a.<\/p>\n \u064a\u0633\u062a\u0628\u062f\u0644 Workload Identity Federation \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0628\u062a\u062f\u0641\u0642 \u0645\u0635\u0627\u062f\u0642\u0629 \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a \u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0631\u0645\u0648\u0632 \u0627\u0644\u0645\u0645\u064a\u0632\u0629 \u0645\u0628\u0646\u064a \u0639\u0644\u0649 OpenID Connect (OIDC). \u0625\u0644\u064a\u0643 \u0643\u064a\u0641 \u064a\u0639\u0645\u0644 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644.<\/p>\n \u064a\u062a\u0636\u0645\u0646 \u062a\u062f\u0641\u0642 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u062b\u0644\u0627\u062b\u0629 \u0623\u0637\u0631\u0627\u0641: \u0645\u0646\u0635\u0629 CI (\u0645\u0632\u0648\u062f \u0627\u0644\u0647\u0648\u064a\u0629)\u060c \u0648\u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 (\u0627\u0644\u0637\u0631\u0641 \u0627\u0644\u0645\u0639\u062a\u0645\u062f)\u060c \u0648\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0623\u0646\u0628\u0648\u0628 (\u062d\u0645\u0644 \u0627\u0644\u0639\u0645\u0644).<\/p>\n \u0623\u0633\u0627\u0633 Workload Identity Federation \u0647\u0648 \u0639\u0644\u0627\u0642\u0629 \u062b\u0642\u0629 \u0628\u064a\u0646 \u0646\u0638\u0627\u0645 IAM \u0644\u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0648\u0645\u0632\u0648\u062f OIDC \u0644\u0645\u0646\u0635\u0629 CI. \u064a\u062a\u0645 \u062a\u0643\u0648\u064a\u0646 \u0647\u0630\u0627 \u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629:<\/p>\n \u062a\u0623\u062a\u064a \u0627\u0644\u0642\u0648\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u0629 \u0644\u0640 OIDC federation \u0645\u0646 \u0627\u0644\u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a. \u064a\u062d\u062a\u0648\u064a JWT \u0627\u0644\u0635\u0627\u062f\u0631 \u0645\u0646 \u0645\u0646\u0635\u0629 CI \u0639\u0644\u0649 \u0645\u0637\u0627\u0644\u0628\u0627\u062a \u0633\u064a\u0627\u0642\u064a\u0629 \u063a\u0646\u064a\u0629. \u062a\u0643\u0648\u0651\u0646 \u0645\u0632\u0648\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0644\u0642\u0628\u0648\u0644 \u0627\u0644\u0631\u0645\u0648\u0632 \u0627\u0644\u062a\u064a \u062a\u062a\u0637\u0627\u0628\u0642 \u0645\u0637\u0627\u0644\u0628\u0627\u062a\u0647\u0627 \u0645\u0639 \u0634\u0631\u0648\u0637 \u0645\u062d\u062f\u062f\u0629 \u0641\u0642\u0637:<\/p>\n \u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646\u0647 \u062d\u062a\u0649 \u0644\u0648 \u0627\u062e\u062a\u0631\u0642 \u0645\u0647\u0627\u062c\u0645 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u064b \u0622\u062e\u0631 \u0641\u064a \u0646\u0641\u0633 \u0645\u0624\u0633\u0633\u0629 GitHub\u060c \u0641\u0644\u0646 \u064a\u062a\u0645\u0643\u0646 \u0645\u0646 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062d\u062f\u062f\u0629 \u0628\u062f\u0648\u0631 \u0646\u0634\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u2014 \u0644\u0646 \u062a\u062a\u0637\u0627\u0628\u0642 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a.<\/p>\n \u064a\u062a\u0645\u062a\u0639 GitHub Actions \u0628\u062f\u0639\u0645 OIDC \u0623\u0635\u0644\u064a. \u064a\u0645\u0643\u0646 \u0644\u0643\u0644 \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0637\u0644\u0628 JWT \u0645\u0648\u0642\u0651\u0639 \u0645\u0646 \u0645\u0632\u0648\u062f OIDC \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 GitHub \u0639\u0644\u0649 \u0623\u0648\u0644\u0627\u064b\u060c \u0623\u0646\u0634\u0626 \u0645\u0632\u0648\u062f OIDC \u0648\u062f\u0648\u0631 IAM \u0641\u064a AWS. \u0625\u0644\u064a\u0643 \u062a\u0643\u0648\u064a\u0646 Terraform:<\/p>\n \u062b\u0645 \u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u062f\u0648\u0631 \u0641\u064a \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0627\u0644\u062e\u0627\u0635 \u0628\u0643:<\/p>\n \u064a\u0633\u062a\u062e\u062f\u0645 GCP \u062e\u0627\u0635\u064a\u0629 Workload Identity Federation \u0645\u0639 pools \u0648 providers. \u0625\u0644\u064a\u0643 \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0644\u0640 GCP:<\/p>\n \u064a\u062f\u0639\u0645 Azure \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0641\u064a\u062f\u0631\u0627\u0644\u064a\u0629 \u0639\u0644\u0649 App Registrations \u0648 Managed Identities. \u0623\u0646\u0634\u0626 \u0627\u0644\u0631\u0628\u0637 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Azure CLI:<\/p>\n \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0644\u0640 Azure:<\/p>\n \u0645\u0644\u0627\u062d\u0638\u0629:<\/strong> \u0645\u0639 Azure OIDC\u060c \u0644\u0627 \u062a\u0632\u0627\u0644 \u062a\u062e\u0632\u0646 client ID \u0648 tenant ID \u0648 subscription ID \u0643\u0623\u0633\u0631\u0627\u0631 \u2014 \u0644\u0643\u0646\u0647\u0627 \u0645\u0639\u0631\u0651\u0641\u0627\u062a \u063a\u064a\u0631 \u062d\u0633\u0627\u0633\u0629\u060c \u0648\u0644\u064a\u0633\u062a \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0644\u0644\u0645\u0635\u0627\u062f\u0642\u0629. \u0644\u0627 \u062d\u0627\u062c\u0629 \u0644\u0640 client secret.<\/p>\n \u064a\u062a\u0628\u0639 \u0645\u0637\u0627\u0644\u0628\u0629 subject \u0641\u064a \u0631\u0645\u0648\u0632 OIDC \u0644\u0640 GitHub Actions \u062a\u0646\u0633\u064a\u0642\u0627\u064b \u064a\u0645\u0643\u0646 \u0627\u0644\u062a\u0646\u0628\u0624 \u0628\u0647. \u0627\u0633\u062a\u062e\u062f\u0645 \u0647\u0630\u0647 \u0627\u0644\u0623\u0646\u0645\u0627\u0637 \u0641\u064a \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643:<\/p>\n \u0627\u0633\u062a\u062e\u062f\u0645 \u062f\u0627\u0626\u0645\u0627\u064b \u0634\u0631\u0637 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u0623\u0643\u062b\u0631 \u062a\u0642\u064a\u064a\u062f\u0627\u064b. \u062a\u062c\u0646\u0628 \u0623\u062d\u0631\u0641 \u0627\u0644\u0628\u062f\u0644 \u0645\u062b\u0644 \u0642\u062f\u0651\u0645 GitLab CI \u062f\u0639\u0645 OIDC \u0623\u0635\u0644\u064a\u0627\u064b \u0645\u0639 \u0643\u0644\u0645\u0629 \u0641\u064a GitLab CI\u060c \u062a\u0639\u0644\u0646 \u0639\u0646 \u0631\u0645\u0648\u0632 OIDC \u0641\u064a \u062a\u0643\u0648\u064a\u0646 \u0627\u0644\u0645\u0647\u0645\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0643\u0644\u0645\u0629 \u064a\u0633\u062a\u062e\u062f\u0645 \u0645\u0632\u0648\u062f IAM OIDC \u0644\u0640 GitLab \u0639\u0646\u0648\u0627\u0646 URL \u0645\u064f\u0635\u062f\u0631 \u0645\u062e\u062a\u0644\u0641\u0627\u064b:<\/p>\n \u0645\u0647\u0645\u0629 GitLab CI \u0627\u0644\u0645\u0642\u0627\u0628\u0644\u0629 \u0644\u0640 GCP:<\/p>\n \u062a\u0633\u062a\u062e\u062f\u0645 \u0631\u0645\u0648\u0632 OIDC \u0644\u0640 GitLab \u062a\u0646\u0633\u064a\u0642 \u0645\u0637\u0627\u0644\u0628\u0629 subject \u0645\u062e\u062a\u0644\u0641\u0627\u064b \u0639\u0646 GitHub Actions:<\/p>\n \u064a\u062a\u0636\u0645\u0646 GitLab \u0623\u064a\u0636\u0627\u064b \u0645\u0637\u0627\u0644\u0628\u0627\u062a \u0625\u0636\u0627\u0641\u064a\u0629 \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u0627 \u0644\u0644\u062a\u0635\u0641\u064a\u0629:<\/p>\n \u0645\u0637\u0627\u0644\u0628\u0629 \u064a\u0645\u0643\u0646 \u0644\u0640 HashiCorp Vault \u0623\u0646 \u064a\u0639\u0645\u0644 \u0643\u0648\u0633\u064a\u0637 \u0647\u0648\u064a\u0629 \u0628\u064a\u0646 \u0645\u0646\u0635\u0629 CI \u0648\u0645\u0632\u0648\u062f\u064a \u0627\u0644\u0633\u062d\u0627\u0628\u0629. \u0647\u0630\u0627 \u0645\u0641\u064a\u062f \u0639\u0646\u062f\u0645\u0627 \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0625\u062f\u0627\u0631\u0629 \u0645\u0631\u0643\u0632\u064a\u0629 \u0644\u0644\u0623\u0633\u0631\u0627\u0631\u060c \u0623\u0648 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629 \u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0623\u0648 \u062e\u062f\u0645\u0627\u062a \u0623\u062e\u0631\u0649 \u063a\u064a\u0631 \u0633\u062d\u0627\u0628\u064a\u0629\u060c \u0623\u0648 \u0633\u062c\u0644 \u062a\u062f\u0642\u064a\u0642 \u0645\u0648\u062d\u0651\u062f \u0639\u0628\u0631 \u062c\u0645\u064a\u0639 \u0645\u0646\u0635\u0627\u062a CI.<\/p>\n \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Vault \u0643\u0648\u0633\u064a\u0637:<\/p>\n \u0623\u0646\u0634\u0626 \u0623\u062f\u0648\u0627\u0631 IAM \u0645\u0646\u0641\u0635\u0644\u0629 \u0644\u0643\u0644 \u0628\u064a\u0626\u0629\u060c \u0643\u0644 \u0645\u0646\u0647\u0627 \u0628\u0633\u064a\u0627\u0633\u0627\u062a \u062b\u0642\u0629 \u0623\u0643\u062b\u0631 \u0635\u0631\u0627\u0645\u0629 \u062a\u062f\u0631\u064a\u062c\u064a\u0627\u064b:<\/p>\n \u0641\u064a GitHub Actions\u060c \u0627\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0644\u062a\u062d\u062f\u064a\u062f \u0646\u0637\u0627\u0642 \u0631\u0645\u0632 OIDC \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b:<\/p>\n \u0625\u0630\u0627 \u0643\u0627\u0646 \u0623\u0646\u0628\u0648\u0628 CI \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u064a\u0646\u0634\u0631 \u0625\u0644\u0649 Kubernetes\u060c \u064a\u0645\u0643\u0646\u0643 \u062a\u0633\u0644\u0633\u0644 \u0627\u0644\u0647\u0648\u064a\u0627\u062a: \u064a\u0635\u0627\u062f\u0642 \u0645\u064f\u0634\u063a\u0651\u0644 CI \u0639\u0644\u0649 \u0627\u0644\u0643\u062a\u0644\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 OIDC\u060c \u0648\u062a\u0633\u062a\u062e\u062f\u0645 pods \u0641\u064a \u0627\u0644\u0643\u062a\u0644\u0629 Kubernetes Workload Identity \u0644\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629:<\/p>\n \u0644\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u062a\u064a \u0644\u062f\u064a\u0647\u0627 \u062d\u0633\u0627\u0628\u0627\u062a AWS \u0645\u062a\u0639\u062f\u062f\u0629\u060c \u064a\u0645\u0643\u0646\u0643 \u062a\u0633\u0644\u0633\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u0627\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u0631. \u064a\u0641\u062a\u0631\u0636 \u0645\u064f\u0634\u063a\u0651\u0644 CI \u062f\u0648\u0631\u0627\u064b \u0641\u064a \u062d\u0633\u0627\u0628 “CI” \u0645\u0631\u0643\u0632\u064a \u0639\u0628\u0631 OIDC\u060c \u062b\u0645 \u064a\u0641\u062a\u0631\u0636 \u0623\u062f\u0648\u0627\u0631\u0627\u064b \u0641\u064a \u0627\u0644\u062d\u0633\u0627\u0628\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629:<\/p>\n \u062a\u0633\u062a\u0641\u064a\u062f \u0639\u0645\u0644\u064a\u0627\u062a \u0646\u0634\u0631 Terraform \u0628\u0634\u0643\u0644 \u0643\u0628\u064a\u0631 \u0645\u0646 OIDC \u0644\u0623\u0646\u0647\u0627 \u062a\u062a\u0637\u0644\u0628 \u0639\u0627\u062f\u0629\u064b \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0628\u0646\u064a\u0629 \u062a\u062d\u062a\u064a\u0629 \u0648\u0627\u0633\u0639\u0629. \u0643\u0648\u0651\u0646 \u0645\u0632\u0648\u062f AWS \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062f\u0648\u0631 \u0627\u0644\u0645\u0641\u062a\u0631\u0636 \u0639\u0628\u0631 OIDC:<\/p>\n \u064a\u064f\u0639\u062f Workload Identity Federation \u062a\u062d\u0633\u064a\u0646\u0627\u064b \u0647\u0627\u0626\u0644\u0627\u064b \u0645\u0642\u0627\u0631\u0646\u0629 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631\u060c \u0644\u0643\u0646\u0647 \u0644\u064a\u0633 \u0645\u0636\u0645\u0648\u0646\u0627\u064b \u0628\u0627\u0644\u0643\u0627\u0645\u0644. \u0625\u0644\u064a\u0643 \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u0627\u0644\u062a\u064a \u064a\u062c\u0628 \u0627\u0644\u0627\u0646\u062a\u0628\u0627\u0647 \u0625\u0644\u064a\u0647\u0627 \u0648\u0627\u0644\u062a\u062e\u0641\u064a\u0641 \u0645\u0646\u0647\u0627.<\/p>\n \u0627\u0644\u062e\u0637\u0623 \u0627\u0644\u0623\u0643\u062b\u0631 \u0634\u064a\u0648\u0639\u0627\u064b \u0647\u0648 \u062a\u0643\u0648\u064a\u0646 \u0633\u064a\u0627\u0633\u0627\u062a \u062b\u0642\u0629 \u0645\u062a\u0633\u0627\u0647\u0644\u0629 \u062c\u062f\u0627\u064b. \u0623\u0645\u062b\u0644\u0629 \u0639\u0644\u0649 \u0627\u0644\u062a\u0643\u0648\u064a\u0646\u0627\u062a \u0627\u0644\u062e\u0637\u0631\u0629:<\/p>\n \u0627\u062a\u0628\u0639 \u062f\u0627\u0626\u0645\u0627\u064b \u0645\u0628\u062f\u0623 \u0623\u0642\u0644 \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a: \u0642\u064a\u0651\u062f \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0627\u0644\u0641\u0631\u0639 \u0648\u0627\u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629.<\/p>\n \u062a\u062d\u062f\u062f \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u062c\u0645\u0647\u0648\u0631 ( \u0625\u0630\u0627 \u062a\u0645 \u0627\u062e\u062a\u0631\u0627\u0642 \u0645\u0632\u0648\u062f OIDC \u0644\u0645\u0646\u0635\u0629 CI (\u0645\u062b\u0644\u0627\u064b\u060c \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u062a\u0632\u0648\u064a\u0631 JWTs)\u060c \u0641\u0625\u0646 \u062c\u0645\u064a\u0639 \u0639\u0644\u0627\u0642\u0627\u062a \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u0645\u0628\u0646\u064a\u0629 \u0639\u0644\u0649 \u0647\u0630\u0627 \u0627\u0644\u0645\u0632\u0648\u062f \u062a\u064f\u062e\u062a\u0631\u0642. \u062a\u0634\u0645\u0644 \u0627\u0644\u062a\u062e\u0641\u064a\u0641\u0627\u062a:<\/p>\n \u064a\u062c\u0628 \u0645\u0631\u0627\u0642\u0628\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0641\u064a\u062f\u0631\u0627\u0644\u064a \u0645\u062b\u0644 \u0623\u064a \u0645\u0635\u0627\u062f\u0642\u0629 \u0623\u062e\u0631\u0649. \u0623\u0639\u062f\u0651 \u062a\u0646\u0628\u064a\u0647\u0627\u062a \u0644\u0640:<\/p>\n \u064a\u0639\u062a\u0645\u062f OIDC federation \u0639\u0644\u0649 \u062e\u062f\u0645\u0627\u062a \u062e\u0627\u0631\u062c\u064a\u0629 (\u0646\u0642\u0637\u0629 \u0646\u0647\u0627\u064a\u0629 OIDC \u0644\u0645\u0646\u0635\u0629 CI\u060c \u0648 STS \u0627\u0644\u0633\u062d\u0627\u0628\u064a). \u062e\u0637\u0637 \u0644\u062d\u0627\u0644\u0627\u062a \u0627\u0644\u0627\u0646\u0642\u0637\u0627\u0639:<\/p>\n \u0627\u0644\u062a\u0631\u062d\u064a\u0644 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0625\u0644\u0649 Workload Identity Federation \u0647\u0648 \u062a\u063a\u064a\u064a\u0631 \u0639\u0627\u0644\u064a \u0627\u0644\u0642\u064a\u0645\u0629 \u0648\u0645\u0646\u062e\u0641\u0636 \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u0639\u0646\u062f \u062a\u0646\u0641\u064a\u0630\u0647 \u0628\u0634\u0643\u0644 \u0645\u0646\u0647\u062c\u064a. \u0625\u0644\u064a\u0643 \u0646\u0647\u062c\u0627\u064b \u0645\u0631\u062d\u0644\u064a\u0627\u064b.<\/p>\n \u0627\u0628\u062f\u0623 \u0628\u0641\u0647\u0631\u0633\u0629 \u0643\u0644 \u0633\u0631 \u0641\u064a \u0645\u0646\u0635\u0629 CI\/CD \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643:<\/p>\n \u0644\u0643\u0644 \u0633\u0631\u060c \u0648\u062b\u0651\u0642:<\/p>\n \u0645\u0631\u0634\u062d\u0648\u0646 \u062c\u064a\u062f\u0648\u0646 \u0644\u0627\u0633\u062a\u0628\u062f\u0627\u0644 OIDC:<\/p>\n \u0644\u064a\u0633\u0648\u0627 \u0645\u0631\u0634\u062d\u064a\u0646 \u0644\u0640 OIDC (\u062a\u062a\u0637\u0644\u0628 \u0646\u0647\u062c\u0627\u064b \u0645\u062e\u062a\u0644\u0641\u0627\u064b):<\/p>\n \u0628\u0639\u062f \u0623\u0646 \u064a\u0639\u0645\u0644 OIDC \u0628\u0634\u0643\u0644 \u0645\u0648\u062b\u0648\u0642:<\/p>\n \u062a\u0623\u0643\u062f \u0645\u0646 \u0627\u0643\u062a\u0645\u0627\u0644 \u0627\u0644\u062a\u0631\u062d\u064a\u0644:<\/p>\n \u064a\u064f\u0639\u062f Workload Identity Federation \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u0623\u0643\u062b\u0631 \u062a\u0623\u062b\u064a\u0631\u0627\u064b \u0627\u0644\u0630\u064a \u064a\u0645\u0643\u0646 \u0644\u0645\u0639\u0638\u0645 \u0627\u0644\u0641\u0631\u0642 \u0625\u062c\u0631\u0627\u0624\u0647 \u0639\u0644\u0649 \u0648\u0636\u0639\u0647\u0645 \u0627\u0644\u0623\u0645\u0646\u064a \u0641\u064a CI\/CD. \u0641\u0647\u0648 \u064a\u0632\u064a\u0644 \u0623\u0643\u062b\u0631 \u0646\u0627\u0642\u0644\u0627\u062a \u0627\u0644\u0647\u062c\u0648\u0645 \u0634\u064a\u0648\u0639\u0627\u064b \u2014 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u2014 \u0648\u064a\u0633\u062a\u0628\u062f\u0644\u0647\u0627 \u0628\u0646\u0638\u0627\u0645 \u0623\u0643\u062b\u0631 \u0623\u0645\u0627\u0646\u0627\u064b \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a: \u0642\u0635\u064a\u0631 \u0627\u0644\u0639\u0645\u0631\u060c \u0648\u0645\u062d\u062f\u062f \u0627\u0644\u0646\u0637\u0627\u0642 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b\u060c \u0648\u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062f\u0642\u064a\u0642\u060c \u0648\u0645\u0642\u0627\u0648\u0645 \u0644\u0644\u062d\u0631\u0643\u0629 \u0627\u0644\u062c\u0627\u0646\u0628\u064a\u0629.<\/p>\n \u0645\u0633\u0627\u0631 \u0627\u0644\u062a\u0631\u062d\u064a\u0644 \u0648\u0627\u0636\u062d \u0648\u0645\u0628\u0627\u0634\u0631. \u0627\u0628\u062f\u0623 \u0628\u0623\u0646\u0628\u0648\u0628 \u0648\u0627\u062d\u062f \u0648\u0645\u0632\u0648\u062f \u0633\u062d\u0627\u0628\u0629 \u0648\u0627\u062d\u062f. \u0623\u0639\u062f\u0651 \u0639\u0644\u0627\u0642\u0629 \u062b\u0642\u0629 OIDC\u060c \u0648\u062d\u062f\u0651\u062b \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0627\u0644\u0641\u064a\u062f\u0631\u0627\u0644\u064a\u0629\u060c \u0648\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646\u0647 \u064a\u0639\u0645\u0644\u060c \u0648\u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 \u0627\u0644\u0623\u0646\u0628\u0648\u0628 \u0627\u0644\u062a\u0627\u0644\u064a. \u0641\u064a \u063a\u0636\u0648\u0646 \u0623\u0633\u0627\u0628\u064a\u0639 \u0642\u0644\u064a\u0644\u0629\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u062a\u062e\u0644\u0635 \u0645\u0646 \u0643\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0645\u0646 \u0645\u0646\u0635\u0629 CI\/CD \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0646\u0627\u0636\u062c\u0629 \u0648\u0645\u062f\u0639\u0648\u0645\u0629 \u062c\u064a\u062f\u0627\u064b. \u064a\u062a\u0645\u062a\u0639 GitHub Actions \u0648 GitLab CI \u0648\u062c\u0645\u064a\u0639 \u0645\u0632\u0648\u062f\u064a \u0627\u0644\u0633\u062d\u0627\u0628\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u064a\u0646 \u0627\u0644\u062b\u0644\u0627\u062b\u0629 \u0628\u062f\u0639\u0645 OIDC federation \u062c\u0627\u0647\u0632 \u0644\u0644\u0625\u0646\u062a\u0627\u062c. \u062a\u062a\u0639\u0627\u0645\u0644 \u0625\u062c\u0631\u0627\u0621\u0627\u062a GitHub Actions \u0627\u0644\u0631\u0633\u0645\u064a\u0629 ( \u0644\u0627 \u064a\u0648\u062c\u062f \u0633\u0628\u0628 \u0644\u0644\u0627\u062d\u062a\u0641\u0627\u0638 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0641\u064a \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0627\u0644\u0645\u062e\u0627\u0637\u0631 \u0639\u0627\u0644\u064a\u0629\u060c \u0648\u062a\u0643\u0644\u0641\u0629 \u0627\u0644\u062a\u0631\u062d\u064a\u0644 \u0645\u0646\u062e\u0641\u0636\u0629\u060c \u0648\u0627\u0644\u062a\u062d\u0633\u064a\u0646 \u0627\u0644\u0623\u0645\u0646\u064a \u0641\u0648\u0631\u064a. \u0627\u0628\u062f\u0623 \u0627\u0644\u064a\u0648\u0645.<\/p>\n","protected":false},"excerpt":{"rendered":" \u0625\u0630\u0627 \u0642\u0645\u062a \u0628\u062a\u062f\u0642\u064a\u0642 \u0645\u062e\u0627\u0632\u0646 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0645\u0639\u0638\u0645 \u0645\u0646\u0635\u0627\u062a CI\/CD \u0627\u0644\u064a\u0648\u0645\u060c \u0633\u062a\u062c\u062f \u0645\u0642\u0628\u0631\u0629 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631. \u064a\u0634\u0631\u062d \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0643\u064a\u0641 \u064a\u0632\u064a\u0644 Workload Identity Federation \u0648 OIDC federation \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0633\u062a\u0628\u062f\u0627\u0644\u0647\u0627 \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0648\u0645\u062d\u062f\u062f\u0629 \u0627\u0644\u0646\u0637\u0627\u0642 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,28],"tags":[],"post_folder":[],"class_list":["post-785","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-pipeline-hardening"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=785"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/785\/revisions"}],"predecessor-version":[{"id":786,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/785\/revisions\/786"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=785"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0645\u0634\u0643\u0644\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631<\/h2>\n
\u0639\u062f\u0645 \u0648\u062c\u0648\u062f \u0627\u0646\u062a\u0647\u0627\u0621 \u0635\u0644\u0627\u062d\u064a\u0629 \u0623\u0648 \u062a\u062f\u0648\u064a\u0631 \u062a\u0644\u0642\u0627\u0626\u064a<\/h3>\n
\u0646\u0637\u0627\u0642 \u0627\u0646\u0641\u062c\u0627\u0631 \u0648\u0627\u0633\u0639<\/h3>\n
\u0635\u0639\u0648\u0628\u0629 \u0627\u0644\u062a\u062f\u0642\u064a\u0642<\/h3>\n
\n
\u0645\u062e\u0632\u0651\u0646\u0629 \u0641\u064a \u0645\u062e\u0627\u0632\u0646 \u0623\u0633\u0631\u0627\u0631 \u0645\u0646\u0635\u0627\u062a CI<\/h3>\n
\u0627\u062e\u062a\u0631\u0627\u0642\u0627\u062a \u0648\u0627\u0642\u0639\u064a\u0629<\/h3>\n
\n
\u0643\u064a\u0641 \u064a\u0639\u0645\u0644 Workload Identity Federation<\/h2>\n
\u062a\u062f\u0641\u0642 OIDC<\/h3>\n
\n
\u0639\u0644\u0627\u0642\u0629 \u0627\u0644\u062b\u0642\u0629<\/h3>\n
\n
token.actions.githubusercontent.com<\/code> (\u0644\u0640 GitHub Actions) \u0623\u0648 gitlab.com<\/code> (\u0644\u0640 GitLab).<\/li>\n\u0627\u0644\u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a<\/h3>\n
\n
my-org\/my-repo<\/code> \u0641\u0642\u0637<\/li>\nmain<\/code> \u0641\u0642\u0637<\/li>\nproduction<\/code> \u0641\u0642\u0637<\/li>\n\u062a\u0635\u0648\u0651\u0631 \u0627\u0644\u062a\u062f\u0641\u0642<\/h3>\n
\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 1. Request JWT \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 CI Runner \u2502 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u25b6 \u2502 CI OIDC Provider \u2502\n\u2502 (Pipeline) \u2502 \u25c0\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2502 (GitHub\/GitLab) \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 2. Signed JWT \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502 \u2502\n \u2502 3. Present JWT + \u2502\n \u2502 Request credentials \u2502\n \u25bc \u2502\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 4. Validate JWT \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Cloud IAM \u2502 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u25b6 \u2502 OIDC Discovery \u2502\n\u2502 (STS) \u2502 (fetch public keys) \u2502 + JWKS Endpoint \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u2502 5. Issue short-lived\n \u2502 credentials (1hr)\n \u25bc\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Cloud APIs \u2502\n\u2502 (S3, GCS, \u2502\n\u2502 etc.) \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/code><\/pre>\nGitHub Actions OIDC Federation<\/h2>\n
token.actions.githubusercontent.com<\/code>. \u0625\u0644\u064a\u0643 \u0643\u064a\u0641\u064a\u0629 \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0631\u0628\u0637 \u0645\u0639 \u0643\u0644 \u0645\u0632\u0648\u062f \u0633\u062d\u0627\u0628\u0629 \u0631\u0626\u064a\u0633\u064a.<\/p>\nAWS: IAM OIDC Provider + IAM Role<\/h3>\n
# Terraform: AWS OIDC Provider for GitHub Actions\nresource \"aws_iam_openid_connect_provider\" \"github_actions\" {\n url = \"https:\/\/token.actions.githubusercontent.com\"\n client_id_list = [\"sts.amazonaws.com\"]\n thumbprint_list = [\"6938fd4d98bab03faadb97b34396831e3780aea1\"]\n}\n\n# IAM Role that GitHub Actions can assume\nresource \"aws_iam_role\" \"github_actions_deploy\" {\n name = \"github-actions-deploy\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Principal = {\n Federated = aws_iam_openid_connect_provider.github_actions.arn\n }\n Action = \"sts:AssumeRoleWithWebIdentity\"\n Condition = {\n StringEquals = {\n \"token.actions.githubusercontent.com:aud\" = \"sts.amazonaws.com\"\n }\n StringLike = {\n \"token.actions.githubusercontent.com:sub\" = \"repo:my-org\/my-repo:ref:refs\/heads\/main\"\n }\n }\n }\n ]\n })\n}\n\n# Attach permissions to the role\nresource \"aws_iam_role_policy_attachment\" \"deploy_policy\" {\n role = aws_iam_role.github_actions_deploy.name\n policy_arn = \"arn:aws:iam::policy\/my-deploy-policy\"\n}\n<\/code><\/pre>\n# .github\/workflows\/deploy.yml\nname: Deploy to AWS\non:\n push:\n branches: [main]\n\npermissions:\n id-token: write # Required for OIDC\n contents: read\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n\n - name: Configure AWS Credentials\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/github-actions-deploy\n aws-region: us-east-1\n role-session-name: github-actions-deploy-${{ github.run_id }}\n\n - name: Deploy\n run: |\n aws s3 sync .\/dist s3:\/\/my-bucket\/\n aws cloudfront create-invalidation --distribution-id E12345 --paths \"\/*\"\n<\/code><\/pre>\nGCP: Workload Identity Pool + Provider<\/h3>\n
gcloud<\/code> CLI:<\/p>\n# Create the Workload Identity Pool\ngcloud iam workload-identity-pools create \"github-actions-pool\" \\\n --project=\"my-project\" \\\n --location=\"global\" \\\n --display-name=\"GitHub Actions Pool\"\n\n# Create the OIDC Provider\ngcloud iam workload-identity-pools providers create-oidc \"github-provider\" \\\n --project=\"my-project\" \\\n --location=\"global\" \\\n --workload-identity-pool=\"github-actions-pool\" \\\n --display-name=\"GitHub OIDC\" \\\n --attribute-mapping=\"google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.ref=assertion.ref\" \\\n --issuer-uri=\"https:\/\/token.actions.githubusercontent.com\" \\\n --attribute-condition=\"assertion.repository_owner=='my-org'\"\n\n# Grant the pool access to a service account\ngcloud iam service-accounts add-iam-policy-binding \\\n deploy-sa@my-project.iam.gserviceaccount.com \\\n --project=\"my-project\" \\\n --role=\"roles\/iam.workloadIdentityUser\" \\\n --member=\"principalSet:\/\/iam.googleapis.com\/projects\/PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/github-actions-pool\/attribute.repository\/my-org\/my-repo\"\n<\/code><\/pre>\n# .github\/workflows\/deploy-gcp.yml\nname: Deploy to GCP\non:\n push:\n branches: [main]\n\npermissions:\n id-token: write\n contents: read\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n\n - name: Authenticate to GCP\n uses: google-github-actions\/auth@v2\n with:\n workload_identity_provider: \"projects\/PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/github-actions-pool\/providers\/github-provider\"\n service_account: \"deploy-sa@my-project.iam.gserviceaccount.com\"\n\n - name: Set up Cloud SDK\n uses: google-github-actions\/setup-gcloud@v2\n\n - name: Deploy to Cloud Run\n run: |\n gcloud run deploy my-service \\\n --image gcr.io\/my-project\/my-app:${{ github.sha }} \\\n --region us-central1\n<\/code><\/pre>\nAzure: Federated Credentials \u0639\u0644\u0649 App Registration<\/h3>\n
# Create an App Registration\naz ad app create --display-name \"github-actions-deploy\"\n\n# Create a federated credential\naz ad app federated-credential create \\\n --id <APP_OBJECT_ID> \\\n --parameters '{\n \"name\": \"github-actions-main\",\n \"issuer\": \"https:\/\/token.actions.githubusercontent.com\",\n \"subject\": \"repo:my-org\/my-repo:ref:refs\/heads\/main\",\n \"audiences\": [\"api:\/\/AzureADTokenExchange\"],\n \"description\": \"GitHub Actions deploy from main branch\"\n }'\n\n# Create a service principal and assign roles\naz ad sp create --id <APP_CLIENT_ID>\naz role assignment create \\\n --assignee <APP_CLIENT_ID> \\\n --role \"Contributor\" \\\n --scope \/subscriptions\/<SUBSCRIPTION_ID>\/resourceGroups\/my-rg\n<\/code><\/pre>\n# .github\/workflows\/deploy-azure.yml\nname: Deploy to Azure\non:\n push:\n branches: [main]\n\npermissions:\n id-token: write\n contents: read\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n\n - name: Azure Login\n uses: azure\/login@v2\n with:\n client-id: ${{ secrets.AZURE_CLIENT_ID }}\n tenant-id: ${{ secrets.AZURE_TENANT_ID }}\n subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}\n\n - name: Deploy to Azure Web App\n uses: azure\/webapps-deploy@v3\n with:\n app-name: my-web-app\n package: .\/dist\n<\/code><\/pre>\n\u0634\u0631\u0648\u0637 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a: \u062a\u0642\u064a\u064a\u062f \u0627\u0644\u0648\u0635\u0648\u0644<\/h3>\n
\n
repo:my-org\/my-repo:ref:refs\/heads\/main<\/code> \u2014 \u0641\u0631\u0639 main \u0641\u0642\u0637<\/li>\nrepo:my-org\/my-repo:environment:production<\/code> \u2014 \u0628\u064a\u0626\u0629 production \u0641\u0642\u0637<\/li>\nrepo:my-org\/my-repo:pull_request<\/code> \u2014 \u0633\u064a\u0631 \u0639\u0645\u0644 pull request \u0641\u0642\u0637<\/li>\nrepo:my-org\/my-repo:ref:refs\/tags\/v*<\/code> \u2014 \u0648\u0633\u0648\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0641\u0642\u0637 (\u0627\u0633\u062a\u062e\u062f\u0645 StringLike<\/code> \u0641\u064a AWS)<\/li>\n<\/ul>\nrepo:my-org\/*<\/code> \u0645\u0627 \u0644\u0645 \u062a\u0643\u0646 \u0628\u062d\u0627\u062c\u0629 \u0641\u0639\u0644\u064a\u0629 \u0644\u0644\u0648\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0645\u0624\u0633\u0633\u0629 \u0628\u0623\u0643\u0645\u0644\u0647\u0627.<\/p>\nGitLab CI OIDC Federation<\/h2>\n
id_tokens<\/code> \u0627\u0644\u0645\u0641\u062a\u0627\u062d\u064a\u0629. \u0627\u0644\u062a\u062f\u0641\u0642 \u0645\u0634\u0627\u0628\u0647 \u0644\u0640 GitHub Actions \u0648\u0644\u0643\u0646 \u0645\u0639 \u0628\u0639\u0636 \u0627\u0644\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u0641\u064a \u0628\u0646\u064a\u0629 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a \u0648\u0627\u0644\u062a\u0643\u0648\u064a\u0646.<\/p>\n\u0637\u0644\u0628 \u0631\u0645\u0648\u0632 OIDC \u0641\u064a GitLab CI<\/h3>\n
id_tokens<\/code> \u0627\u0644\u0645\u0641\u062a\u0627\u062d\u064a\u0629:<\/p>\n# .gitlab-ci.yml\ndeploy_to_aws:\n stage: deploy\n image: amazon\/aws-cli:latest\n id_tokens:\n AWS_OIDC_TOKEN:\n aud: https:\/\/sts.amazonaws.com\n script:\n - |\n CREDENTIALS=$(aws sts assume-role-with-web-identity \\\n --role-arn arn:aws:iam::123456789012:role\/gitlab-deploy \\\n --role-session-name \"gitlab-ci-${CI_PIPELINE_ID}\" \\\n --web-identity-token \"${AWS_OIDC_TOKEN}\" \\\n --duration-seconds 3600 \\\n --query 'Credentials')\n export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.AccessKeyId')\n export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.SecretAccessKey')\n export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.SessionToken')\n aws s3 sync .\/dist s3:\/\/my-bucket\/\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n<\/code><\/pre>\n\u062a\u0643\u0648\u064a\u0646 AWS \u0644\u0640 GitLab<\/h3>\n
# Terraform: AWS OIDC Provider for GitLab\nresource \"aws_iam_openid_connect_provider\" \"gitlab\" {\n url = \"https:\/\/gitlab.com\"\n client_id_list = [\"https:\/\/sts.amazonaws.com\"]\n thumbprint_list = [\"b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a\"]\n}\n\nresource \"aws_iam_role\" \"gitlab_deploy\" {\n name = \"gitlab-deploy\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Principal = {\n Federated = aws_iam_openid_connect_provider.gitlab.arn\n }\n Action = \"sts:AssumeRoleWithWebIdentity\"\n Condition = {\n StringEquals = {\n \"gitlab.com:aud\" = \"https:\/\/sts.amazonaws.com\"\n }\n StringLike = {\n \"gitlab.com:sub\" = \"project_path:my-group\/my-project:ref_type:branch:ref:main\"\n }\n }\n }\n ]\n })\n}\n<\/code><\/pre>\nGCP Workload Identity Federation \u0644\u0640 GitLab<\/h3>\n
# Create the OIDC Provider for GitLab\ngcloud iam workload-identity-pools providers create-oidc \"gitlab-provider\" \\\n --project=\"my-project\" \\\n --location=\"global\" \\\n --workload-identity-pool=\"cicd-pool\" \\\n --display-name=\"GitLab OIDC\" \\\n --attribute-mapping=\"google.subject=assertion.sub,attribute.project_path=assertion.project_path,attribute.ref=assertion.ref\" \\\n --issuer-uri=\"https:\/\/gitlab.com\" \\\n --attribute-condition=\"assertion.namespace_path=='my-group'\"\n<\/code><\/pre>\n# .gitlab-ci.yml\ndeploy_to_gcp:\n stage: deploy\n image: google\/cloud-sdk:slim\n id_tokens:\n GCP_OIDC_TOKEN:\n aud: https:\/\/iam.googleapis.com\/projects\/PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/cicd-pool\/providers\/gitlab-provider\n script:\n - |\n echo \"${GCP_OIDC_TOKEN}\" > \/tmp\/oidc_token.txt\n gcloud iam workload-identity-pools create-cred-config \\\n \"projects\/PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/cicd-pool\/providers\/gitlab-provider\" \\\n --service-account=\"deploy-sa@my-project.iam.gserviceaccount.com\" \\\n --output-file=\/tmp\/cred_config.json \\\n --credential-source-file=\/tmp\/oidc_token.txt\n gcloud auth login --cred-file=\/tmp\/cred_config.json\n gcloud run deploy my-service --image gcr.io\/my-project\/my-app:${CI_COMMIT_SHA} --region us-central1\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n<\/code><\/pre>\n\u0627\u062e\u062a\u0644\u0627\u0641\u0627\u062a \u062a\u0635\u0641\u064a\u0629 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a \u0645\u0642\u0627\u0631\u0646\u0629 \u0628\u0640 GitHub Actions<\/h3>\n
\n
project_path:my-group\/my-project:ref_type:branch:ref:main<\/code><\/li>\nrepo:my-org\/my-repo:ref:refs\/heads\/main<\/code><\/li>\n<\/ul>\n\n
namespace_id<\/code> \u0648 namespace_path<\/code> \u2014 \u0645\u0633\u0627\u062d\u0629 \u0627\u0633\u0645 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u0623\u0648 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645<\/li>\nproject_id<\/code> \u0648 project_path<\/code> \u2014 \u0627\u0644\u0645\u0634\u0631\u0648\u0639 \u0627\u0644\u0645\u062d\u062f\u062f<\/li>\npipeline_source<\/code> \u2014 \u0643\u064a\u0641 \u062a\u0645 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0623\u0646\u0628\u0648\u0628 (push\u060c merge_request\u060c schedule\u060c \u0625\u0644\u062e.)<\/li>\nenvironment<\/code> \u2014 \u0628\u064a\u0626\u0629 \u0627\u0644\u0646\u0634\u0631\u060c \u0625\u0630\u0627 \u062a\u0645 \u062a\u0639\u064a\u064a\u0646\u0647\u0627<\/li>\nref_protected<\/code> \u2014 \u0645\u0627 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0645\u0631\u062c\u0639 \u0641\u0631\u0639\u0627\u064b \u0645\u062d\u0645\u064a\u0627\u064b<\/li>\n<\/ul>\nref_protected<\/code> \u0645\u0641\u064a\u062f\u0629 \u0628\u0634\u0643\u0644 \u062e\u0627\u0635: \u064a\u0645\u0643\u0646\u0643 \u062a\u0643\u0648\u064a\u0646 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062b\u0642\u0629 \u0644\u0642\u0628\u0648\u0644 \u0627\u0644\u0631\u0645\u0648\u0632 \u0645\u0646 \u0627\u0644\u0641\u0631\u0648\u0639 \u0627\u0644\u0645\u062d\u0645\u064a\u0629 \u0641\u0642\u0637\u060c \u0645\u0645\u0627 \u064a\u0636\u064a\u0641 \u0637\u0628\u0642\u0629 \u0623\u0645\u0627\u0646 \u0625\u0636\u0627\u0641\u064a\u0629.<\/p>\n\u0623\u0646\u0645\u0627\u0637 \u0645\u062a\u0642\u062f\u0645\u0629<\/h2>\n
\u062a\u0633\u0644\u0633\u0644 OIDC: \u0645\u0646 CI \u0625\u0644\u0649 Vault \u0625\u0644\u0649 \u0627\u0644\u0633\u062d\u0627\u0628\u0629<\/h3>\n
# Configure Vault JWT auth backend for GitHub Actions\nvault auth enable jwt\n\nvault write auth\/jwt\/config \\\n oidc_discovery_url=\"https:\/\/token.actions.githubusercontent.com\" \\\n bound_issuer=\"https:\/\/token.actions.githubusercontent.com\"\n\n# Create a role that maps GitHub Actions claims to Vault policies\nvault write auth\/jwt\/role\/deploy \\\n role_type=\"jwt\" \\\n bound_audiences=\"https:\/\/vault.mycompany.com\" \\\n bound_claims_type=\"glob\" \\\n bound_claims='{\"repository\":\"my-org\/my-repo\",\"ref\":\"refs\/heads\/main\"}' \\\n user_claim=\"repository\" \\\n policies=\"deploy-policy\" \\\n ttl=\"15m\"\n<\/code><\/pre>\n# .github\/workflows\/deploy-via-vault.yml\nname: Deploy via Vault\non:\n push:\n branches: [main]\n\npermissions:\n id-token: write\n contents: read\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\/checkout@v4\n\n - name: Import Secrets from Vault\n uses: hashicorp\/vault-action@v3\n with:\n url: https:\/\/vault.mycompany.com\n method: jwt\n role: deploy\n jwtGithubAudience: https:\/\/vault.mycompany.com\n secrets: |\n aws\/creds\/deploy access_key | AWS_ACCESS_KEY_ID ;\n aws\/creds\/deploy secret_key | AWS_SECRET_ACCESS_KEY ;\n aws\/creds\/deploy security_token | AWS_SESSION_TOKEN\n\n - name: Deploy\n run: aws s3 sync .\/dist s3:\/\/my-bucket\/\n<\/code><\/pre>\n\u0647\u0648\u064a\u0627\u062a \u0644\u0643\u0644 \u0628\u064a\u0626\u0629<\/h3>\n
# Terraform: Per-environment roles\nlocals {\n environments = {\n dev = {\n branch = \"*\"\n condition = \"StringLike\"\n }\n staging = {\n branch = \"refs\/heads\/main\"\n condition = \"StringEquals\"\n }\n production = {\n branch = \"refs\/heads\/main\"\n condition = \"StringEquals\"\n }\n }\n}\n\nresource \"aws_iam_role\" \"deploy\" {\n for_each = local.environments\n name = \"github-actions-deploy-${each.key}\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Principal = {\n Federated = aws_iam_openid_connect_provider.github_actions.arn\n }\n Action = \"sts:AssumeRoleWithWebIdentity\"\n Condition = {\n StringEquals = {\n \"token.actions.githubusercontent.com:aud\" = \"sts.amazonaws.com\"\n }\n (each.value.condition) = {\n \"token.actions.githubusercontent.com:sub\" = \"repo:my-org\/my-repo:environment:${each.key}\"\n }\n }\n }\n ]\n })\n}\n<\/code><\/pre>\njobs:\n deploy-prod:\n runs-on: ubuntu-latest\n environment: production # This changes the OIDC subject claim\n steps:\n - uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/github-actions-deploy-production\n aws-region: us-east-1\n<\/code><\/pre>\nKubernetes Workload Identity \u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u0646\u0634\u0631<\/h3>\n
# GKE Workload Identity: Annotate the Kubernetes service account\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: app-deploy-sa\n namespace: production\n annotations:\n iam.gke.io\/gcp-service-account: app-sa@my-project.iam.gserviceaccount.com\n<\/code><\/pre>\n\u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0648\u0635\u0648\u0644 \u0639\u0628\u0631 \u0627\u0644\u062d\u0633\u0627\u0628\u0627\u062a<\/h3>\n
# Step 1: Assume the hub role via OIDC\n- uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::HUB_ACCOUNT:role\/github-actions-hub\n aws-region: us-east-1\n\n# Step 2: Assume a role in the target account\n- uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::TARGET_ACCOUNT:role\/deploy-role\n aws-region: us-east-1\n role-chaining: true\n<\/code><\/pre>\n\u062f\u0645\u062c OIDC \u0645\u0639 Terraform<\/h3>\n
# terraform\/providers.tf\nprovider \"aws\" {\n region = \"us-east-1\"\n\n # No credentials configured here \u2014 they come from\n # the environment variables set by the OIDC step\n default_tags {\n tags = {\n ManagedBy = \"terraform\"\n Repository = \"my-org\/my-infra\"\n Environment = var.environment\n }\n }\n}\n\n# terraform\/backend.tf\nterraform {\n backend \"s3\" {\n bucket = \"my-terraform-state\"\n key = \"infra\/terraform.tfstate\"\n region = \"us-east-1\"\n # State backend also uses the OIDC credentials\n # No access_key or secret_key needed\n }\n}\n<\/code><\/pre>\n\u0627\u0639\u062a\u0628\u0627\u0631\u0627\u062a \u0623\u0645\u0646\u064a\u0629<\/h2>\n
\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u0648\u0627\u0633\u0639\u0629 \u0628\u0634\u0643\u0644 \u0645\u0641\u0631\u0637<\/h3>\n
\n
repo:my-org\/*<\/code> \u064a\u0639\u0646\u064a \u0623\u0646 \u0623\u064a \u0645\u0633\u062a\u0648\u062f\u0639 \u0641\u064a \u0627\u0644\u0645\u0624\u0633\u0633\u0629 \u064a\u0645\u0643\u0646\u0647 \u0627\u0641\u062a\u0631\u0627\u0636 \u0627\u0644\u062f\u0648\u0631. \u0645\u0633\u062a\u0648\u062f\u0639 \u0645\u062e\u062a\u0631\u0642 \u0623\u0648 \u062e\u0628\u064a\u062b \u064a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0648\u0635\u0648\u0644 \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/li>\nrepo:my-org\/my-repo:*<\/code> \u064a\u0639\u0646\u064a \u0623\u0646 \u0641\u0631\u0639\u0627\u064b \u0628\u0643\u0648\u062f \u063a\u064a\u0631 \u0645\u062e\u062a\u0628\u0631 \u064a\u0645\u0643\u0646\u0647 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0625\u0646\u062a\u0627\u062c.<\/li>\naud<\/code>\u060c \u064a\u0645\u0643\u0646 \u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0631\u0645\u0648\u0632 \u0627\u0644\u0645\u062e\u0635\u0635\u0629 \u0644\u062e\u062f\u0645\u0629 \u0648\u0627\u062d\u062f\u0629 \u0636\u062f \u062e\u062f\u0645\u0629 \u0623\u062e\u0631\u0649.<\/li>\n<\/ul>\n\u062e\u0637\u0623 \u062a\u0643\u0648\u064a\u0646 \u062c\u0645\u0647\u0648\u0631 \u0627\u0644\u0631\u0645\u0632<\/h3>\n
aud<\/code>) \u0627\u0644\u0645\u0633\u062a\u0644\u0645 \u0627\u0644\u0645\u0642\u0635\u0648\u062f \u0644\u0644\u0631\u0645\u0632. \u0625\u0630\u0627 \u0644\u0645 \u062a\u062a\u062d\u0642\u0642 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0645\u0646 \u0627\u0644\u062c\u0645\u0647\u0648\u0631\u060c \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0644\u0630\u064a \u064a\u062d\u0635\u0644 \u0639\u0644\u0649 \u0631\u0645\u0632 \u0645\u062e\u0635\u0635 \u0644\u062e\u062f\u0645\u0629 \u0645\u062e\u062a\u0644\u0641\u0629 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647 \u0644\u0627\u0641\u062a\u0631\u0627\u0636 \u062f\u0648\u0631 IAM \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u062a\u062d\u0642\u0642 \u062f\u0627\u0626\u0645\u0627\u064b \u0645\u0646 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u062c\u0645\u0647\u0648\u0631 \u0641\u064a \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n\u0627\u062e\u062a\u0631\u0627\u0642 \u0645\u0632\u0648\u062f OIDC<\/h3>\n
\n
\u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629 \u0648\u0627\u0644\u062a\u062f\u0642\u064a\u0642<\/h3>\n
\n
# AWS CloudTrail filter for OIDC role assumptions\n{\n \"eventName\": \"AssumeRoleWithWebIdentity\",\n \"requestParameters\": {\n \"roleArn\": \"arn:aws:iam::123456789012:role\/github-actions-deploy-production\"\n }\n}\n<\/code><\/pre>\n\u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a \u0627\u0644\u0637\u0648\u0627\u0631\u0626<\/h3>\n
\n
\u062f\u0644\u064a\u0644 \u0627\u0644\u062a\u0631\u062d\u064a\u0644: \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u0625\u0644\u0649 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631<\/h2>\n
\u0627\u0644\u0645\u0631\u062d\u0644\u0629 1: \u0627\u0644\u062c\u0631\u062f<\/h3>\n
# GitHub: List all secrets for a repository\ngh secret list --repo my-org\/my-repo\n\n# GitHub: List organization secrets\ngh secret list --org my-org\n\n# GitLab: List project variables\ncurl --header \"PRIVATE-TOKEN: $GITLAB_TOKEN\" \\\n \"https:\/\/gitlab.com\/api\/v4\/projects\/$PROJECT_ID\/variables\"\n<\/code><\/pre>\n\n
\u0627\u0644\u0645\u0631\u062d\u0644\u0629 2: \u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0645\u0631\u0634\u062d\u064a\u0646<\/h3>\n
\n
\n
\u0627\u0644\u0645\u0631\u062d\u0644\u0629 3: \u0627\u0644\u0637\u0631\u062d \u0627\u0644\u0645\u0631\u062d\u0644\u064a<\/h3>\n
\n
\u0627\u0644\u0645\u0631\u062d\u0644\u0629 4: \u0625\u064a\u0642\u0627\u0641 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0642\u062f\u064a\u0645\u0629<\/h3>\n
\n
# AWS: Deactivate an old access key\naws iam update-access-key \\\n --user-name ci-deploy \\\n --access-key-id AKIAIOSFODNN7EXAMPLE \\\n --status Inactive\n\n# After validation period, delete it\naws iam delete-access-key \\\n --user-name ci-deploy \\\n --access-key-id AKIAIOSFODNN7EXAMPLE\n<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\n
\n
\u0627\u0644\u062e\u0644\u0627\u0635\u0629<\/h2>\n
aws-actions\/configure-aws-credentials<\/code> \u0648 google-github-actions\/auth<\/code> \u0648 azure\/login<\/code>) \u0645\u0639 \u062a\u0628\u0627\u062f\u0644 \u0627\u0644\u0631\u0645\u0648\u0632 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b. \u0645\u0648\u0627\u0631\u062f Terraform \u0645\u0648\u062c\u0648\u062f\u0629 \u0644\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062a\u062d\u062a\u064a\u0629 \u0643\u0643\u0648\u062f.<\/p>\n