Hi @noorbasha534 ,
In docs they are giving following example of subject requirements for Azure Devops. So, the subject (sub) claim must uniquely identify the workload. So as long as all of your pipelines resides in the same organization, same project and all of them are using the same service connection then you can have on single policy.
"iss": "https://vstoken.dev.azure.com/<org_id>"
"aud": "api://AzureADTokenExchange"
"sub": "sc://my-org/my-project/my-connection"
The same applies to github.
{
"iss": "https://token.actions.githubusercontent.com",
"aud": "https://github.com/my-github-org",
"sub": "repo:my-github-org/my-repo:environment:prod"
}
So, you can thing of subject in following way:
"This token was issued for workflows running in the prod environment of my-repo inside my-github-org"
So as long as your pipelines are defined in the same organization -> repo -> env then you can use single policy.
This is quite interesting question and I can try to validate on my own environment, but I think I will find time only at the second part of this week.