GCP workload Identity Federation:
WIF allows your workloads to talk with GCP Resources without the need of
having Service Account keys.
This article will demonstrate steps needed for Enabling WIF for your GitHub Repo so that your Actions Workflow can use WIF for GCP Authentication.
- Creation of WIF pool:
- Add Provider to WIF Pool:
NOTE: For GitHub choose OIDC as a provider
- Configure Provider Attributes:
- Once Above WIF Pool and Provider is configured create a Service Account that will be used by GitHub actions for communicating with GCP resources.
Note: Assign necessary roles to this account based on the GCP resources you want GitHub Actions to access. Make sure that One of the Role should be Service Account User Role so that GitHub actions can impersonate this Account to run workflows.
- Add IAM policy binding for GCP Service Account so that WIF pool can impersonate it:
gcloud auth login
gcloud iam service-accounts add-iam-policy-binding "<YOUR_SERVICE_ACCOUNT_NAME>" --project="<YOUR_PROJECT_ID>" --role="roles/iam.workloadIdentityUser" --member="principalSet://iam.googleapis.com/projects/<YOUR_PROJECT_ID_NUMBER>/locations/global/workloadIdentityPools/<YOUR_WIF_POOL_NAME>/attribute.repository_owner/<YOUR_GITHUB_USERNAME OR YOUR_ORG_NAME>"
USING WIF based Authentication in GitHub Action Workflow:
Add below auth step in your action file:
yaml
- id: 'auth-to-gcp'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: 'projects/<YOUR_PROJECT_ID_NUMBER>/locations/global/workloadIdentityPools/<YOUR_WIF_POOL_NAME>/providers/<YOUR_WIF_GITHUB_OIDC_PROVIDER_NAME>'
service_account: 'YOUR_SERVICE_ACCOUNT'