Enabling Workload Identity Federation for Github Actions on GCP

lostinopensource - Jun 14 - - Dev Community

GCP workload Identity Federation:

WIF allows your workloads to talk with GCP Resources without the need of
having Service Account keys.

This article will demonstrate steps needed for Enabling WIF for your GitHub Repo so that your Actions Workflow can use WIF for GCP Authentication.

  • Creation of WIF pool:

Creating WIF Pool

  • Add Provider to WIF Pool:

NOTE: For GitHub choose OIDC as a provider

Add Provider

  • Configure Provider Attributes:

Provider Attributes

  • Once Above WIF Pool and Provider is configured create a Service Account that will be used by GitHub actions for communicating with GCP resources.

Note: Assign necessary roles to this account based on the GCP resources you want GitHub Actions to access. Make sure that One of the Role should be Service Account User Role so that GitHub actions can impersonate this Account to run workflows.

  • Add IAM policy binding for GCP Service Account so that WIF pool can impersonate it:
gcloud auth login

gcloud iam service-accounts add-iam-policy-binding "<YOUR_SERVICE_ACCOUNT_NAME>" --project="<YOUR_PROJECT_ID>" --role="roles/iam.workloadIdentityUser" --member="principalSet://iam.googleapis.com/projects/<YOUR_PROJECT_ID_NUMBER>/locations/global/workloadIdentityPools/<YOUR_WIF_POOL_NAME>/attribute.repository_owner/<YOUR_GITHUB_USERNAME OR YOUR_ORG_NAME>"
Enter fullscreen mode Exit fullscreen mode

USING WIF based Authentication in GitHub Action Workflow:

Add below auth step in your action file:

yaml

    - id: 'auth-to-gcp'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v2'
      with:
        workload_identity_provider: 'projects/<YOUR_PROJECT_ID_NUMBER>/locations/global/workloadIdentityPools/<YOUR_WIF_POOL_NAME>/providers/<YOUR_WIF_GITHUB_OIDC_PROVIDER_NAME>'
        service_account: 'YOUR_SERVICE_ACCOUNT'
Enter fullscreen mode Exit fullscreen mode
. . . . . . . .
Terabox Video Player