Set up Google Cloud Workload Identity Federation for GitHub Actions

I have been using Service Account Key JSON to authenticate GitHub Actions with Google Cloud. This is basically a password stored in GitHub secrets that is then used by GitHub Actions to authenticate. I just saw that the google-github-actions/auth action now supports and recommends the use of Workload Identity Federation. This post is a documentation of the steps I took to enable this.

The doc suggests the Direct setup, where you’d grant permissions to the Workload Identity Pool to access different Google Cloud services. Since I have been using the Service Account, I set up Workload Identity Federation through a Service Account instead. I performed these steps in the Google Cloud console, instead of using the gcloud CLI as in the doc.

  1. Create a Workload Identity Pool
    • From the UI, the “Name” field is actually the display-name attribute of the CLI. The ID is automatically derived, so I edited it to use the github value instead.
  2. Create a Workload Identity Provider
    • Select OpenID Connect (OIDC)
    • Same deal as above re: display name and ID
    • Issuer URL is https://token.actions.githubusercontent.com
    • I selected “Default Audience”
    • Attribute mapping – manually set them
      • google.subjectassertion.sub
      • attribute.actorassertion.actor
      • attribute.repositoryassertion.repository
      • attribute.repository_ownerassertion.repository_owner
    • Attribute conditions – set to my GitHub personal user
      • assertion.repository_owner == 'tnguyen14'
  3. Allow authentications from the Pool to the Service Account
    • This step is where I deviated slightly from the doc. I selected the option “Grant access using service account impersonation” from the UI, and select the Service Account.
    • For the “Select principals (identities that can access the service account)” field, I selected repository_owner instead of repository, as suggested by the doc. My intention is to use this Provider for all repos in my personal account, so I hope this is the right way to do it. The Actions workflow succeeded with this setting, FWIW.
  4. Retrieve the Provider name
    • This info is not available from the Console UI for it, so I had to activate Cloud Shell to retrieve it from the CLI
  5. Changes to workflow config file
    • In the job, update permissions – this step is important. Without it, I got the error Error: google-github-actions/auth failed with: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork.
      permissions:
        contents: 'read'
        id-token: 'write'
    • Replace the auth step’s credentials_json with workload_identity_provider and service_account
      - id: auth
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/github/providers/github-tnguyen14
          service_account: [email protected]
comments powered by Disqus