What happened?
According to the Pomerium Policy language, the “contains” operator should work with the claims string matcher
ingress.pomerium.io/policy: |
allow:
and:
- claim/custom:groups: "[Devleads, Developer]"
{"level":"info","service":"authorize","method":"GET","path":"/favicon.ico","host":"test-app.pomerium.dev.com","query":"","allow":true,"allow-why-true":["claim-ok"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"time":"2025-07-28T09:25:31Z","message":"authorize check"}
What did you expect to happen?
ingress.pomerium.io/policy: |
allow:
and:
- claim/custom:groups:
contains: "Developer"
{"level":"info","service":"authorize","method":"GET","path":"/","host":"test-app.pomerium.dev.com","query":"","allow":false,"allow-why-false":["claim-unauthorized","non-pomerium-route"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"time":"2025-07-28T09:25:54Z","message":"authorize check"}
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version): v0.22.1 - Server Operating System/Architecture/Cloud: EKS
What’s your config.yaml?
autocert: false
dns_lookup_family: V4_ONLY
address: :443
grpc_address: :443
certificate_authority_file: "/pomerium/ca/ca.crt"
certificates:
authenticate_service_url: https://authenticate.pomerium.dev.com
authorize_service_url: https://pomerium-authorize.pomerium.svc.cluster.local
databroker_service_url: https://pomerium-databroker.pomerium.svc.cluster.local
idp_provider: oidc
idp_scopes: openid profile email
idp_provider_url: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_AYuZSIE6
jwt_claims_headers:
- groups
idp_client_id: idp_client_id
idp_client_secret: idp_client_secret
databroker_storage_tls_skip_verify: false
Additional context
The issue is that Cognito passes the groups as strings instead of lists
"[Devleads, Developer]"
Are there any other operators that can check for the substring in claim/custom:groups?
