Set up Google Cloud Workload Identity Federation for GitHub Actions
05-26-2025
I have been using Service Account Key JSON to authenticate GitHub Actions with Google Cloud. This is basically a password stored in GitHub secrets that is then used by GitHub Actions to authenticate. I just saw that the google-github-actions/auth action now supports and recommends the use of Workload Identity Federation. This post is a documentation of the steps I took to enable this.
The doc suggests the Direct setup, where you’d grant permissions to the Workload Identity Pool to access different Google Cloud services. Since I have been using the Service Account, I set up Workload Identity Federation through a Service Account instead. I performed these steps in the Google Cloud console, instead of using the gcloud CLI as in the doc.
- Create a Workload Identity Pool
- From the UI, the “Name” field is actually the
display-nameattribute of the CLI. The ID is automatically derived, so I edited it to use thegithubvalue instead.
- From the UI, the “Name” field is actually the
- Create a Workload Identity Provider
- Select OpenID Connect (OIDC)
- Same deal as above re: display name and ID
- Issuer URL is
https://token.actions.githubusercontent.com - I selected “Default Audience”
- Attribute mapping – manually set them
google.subject–assertion.subattribute.actor–assertion.actorattribute.repository–assertion.repositoryattribute.repository_owner–assertion.repository_owner
- Attribute conditions – set to my GitHub personal user
assertion.repository_owner == 'tnguyen14'
- Allow authentications from the Pool to the Service Account
- This step is where I deviated slightly from the doc. I selected the option “Grant access using service account impersonation” from the UI, and select the Service Account.
- For the “Select principals (identities that can access the service account)” field, I selected
repository_ownerinstead ofrepository, as suggested by the doc. My intention is to use this Provider for all repos in my personal account, so I hope this is the right way to do it. The Actions workflow succeeded with this setting, FWIW.
- Retrieve the Provider name
- This info is not available from the Console UI for it, so I had to activate Cloud Shell to retrieve it from the CLI
- Changes to workflow config file
- In the job, update permissions – this step is important. Without it, I got the error
Error: google-github-actions/auth failed with: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork.permissions: contents: 'read' id-token: 'write' - Replace the auth step’s
credentials_jsonwithworkload_identity_providerandservice_account- id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/github/providers/github-tnguyen14 service_account: [email protected]
- In the job, update permissions – this step is important. Without it, I got the error