NGINXaaS: Address missing info and points of user friction #1588
+6
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This makes it easier for the user to know what it looks like when we are asking them to save it for use later on in the deployment.
This is important as we do not have references to it anywhere and is information needed by the user to set up deployment observability.
After I am done setting up my WIF provider, I should be directed to enable monitoring and logging for my deployment.
github-actions
bot
added
the
documentation
✅ Deploy Preview will be available once build job completes!
|
puneetsarna
commented
Dec 16, 2025
| ## What's next | ||
|
|
||
| [Add SSL/TLS Certificates]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-console.md" >}}) | ||
| [Monitor your deployment]({{< ref "/nginxaas-google/monitoring/enable-monitoring.md" >}}) |
amudukutore
reviewed
Dec 17, 2025
| - For **production use cases**, we recommend setting the **Connection preference** on the Network Attachment resource to **Accept connections from selected projects**. This lets you manually approve trusted connections, as this setting cannot be changed later. To start, you can leave the list of accepted projects empty and add the NGINXaaS deployment project after it is created. | ||
| - For **development use cases**, you can set the **Connection preference** to **Automatically accept connections from all projects**, which allows connections without manual approval. If you choose this option, you don't need to explicitly allow the NGINXaaS deployment project. | ||
| 1. Make a note of the network attachment ID. You will need it in the next steps to create your NGINXaaS deployment. | ||
| 1. Make a note of the network attachment ID (**Example format:** `projects/my-google-project/regions/us-east1/networkAttachments/my-network-attachment`). You will need it in the next steps to create your NGINXaaS deployment. |
There was a problem hiding this comment.
Including an example of the network attachment format is a great improvement. To make it even clearer, you could guide users to find this in the Google Cloud Console:
- Go to Network Attachments at the following link:
https://console.cloud.google.com/net-services/psc/list/networkAttachments?project=my-google-project
(replace my-google-project in the URL with your project name). - Open the desired network attachment and copy the value from the
Network Attachmentfield.
amudukutore
reviewed
Dec 17, 2025
|
|
||
|
|
||
| F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, when WIF is configured, NGINXaaS can export logs and metrics from your deployment to Cloud Monitoring in your chosen Google project. To learn more about WIF on Google Cloud, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation). | ||
| F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, when WIF is configured, NGINXaaS can export logs and metrics from your deployment to Cloud Monitoring in your chosen Google project. To learn more about WIF on Google Cloud, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation). |
There was a problem hiding this comment.
I know this was just a white-space change, but since you're already here, may I suggest the following simplification:
Suggested change
| F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, when WIF is configured, NGINXaaS can export logs and metrics from your deployment to Cloud Monitoring in your chosen Google project. To learn more about WIF on Google Cloud, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation). | |
| F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, with WIF configured, your NGINXaaS deployment can export logs and metrics to Cloud Monitoring in your Google project. To learn more, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation). |
amudukutore
reviewed
Dec 17, 2025
| - `Allowed audiences` must contain the full canonical resource name of the workload identity pool provider, for example, `https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>`. If `Allowed audiences` is empty, the full canonical resource name of the workload identity pool provider will be included by default. | ||
| - Add the following **attribute mapping**: `google.subject=assertion.sub`. | ||
| - Add the following **attribute condition**: `assertion.sub=='$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID'` where `$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID` is your NGINXaaS deployment's service account's unique ID. | ||
| - Add the following **attribute condition**: `assertion.sub=='$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID'` where `$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID` is your NGINXaaS deployment's service account's unique ID, listed under the **Cloud Info** section in the **Details** tab for your deployment. |
There was a problem hiding this comment.
This looks good but another minor suggestion to simplify:
Suggested change
| - Add the following **attribute condition**: `assertion.sub=='$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID'` where `$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID` is your NGINXaaS deployment's service account's unique ID, listed under the **Cloud Info** section in the **Details** tab for your deployment. | |
| - Add the following **attribute condition**: `assertion.sub=='$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID'`, where `$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID` is the unique ID of your NGINXaaS deployment's service account. This ID can be found in the `F5 NGINXaaS Service Account Unique ID` field under the **Cloud Info** section in the **Details** tab of your deployment. |
amudukutore
approved these changes
Dec 17, 2025
amudukutore
left a comment
amudukutore
left a comment
There was a problem hiding this comment.
@puneetsarna - Thanks for (quickly) addressing these docs issues and making these changes. I had a few minor suggestions and will leave it up to you whether you want to use them or not. Approving these regardless.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩