Open in app

Sign in

Write

Sign in

Authenticate GITHUB actions to GCP using Workload Identity Federation

Satish Kumar
4 min readFeb 3, 2023

--

Hey geeks!! You know what!!!!

No need to add service account json file(Secrets) in actions workflow to run the CI/CD pipelines from GITHUB to GCP 🤫

Why GCP Workload Identity?????? 🤔

Attack! Attack ! Attack! 🧟🧟‍♂️

Tired with cyber attacks??
Most of the attacks occurs when your secrets(Passwords) are exposed/compromised Lol.

Below are the steps to authenticate your GITHUB to GCP for running the CI/CD pipelines:

Prerequisites:

GCP Account.

Free Trial and Free Tier | Google Cloud

Start building on Google Cloud with $300 in free credits and free usage of 20+ products like Compute Engine and Cloud…

cloud.google.com

Gcloud CLI .

Install the gcloud CLI | Google Cloud

This page contains instructions for choosing and maintaining a Google Cloud CLI installation. The Google Cloud CLI…

cloud.google.com

GITHUB Account with REPO.

Signing up for a new GitHub account — GitHub Docs

You can create a personal account, which serves as your identity on GitHub.com, or an organization, which allows…

docs.github.com

We will test only authentication using this demo.

# We have to setup a temporary variables on our terminal.

Variables always makes our job easier but always remember,it should be temporary on our local terminal/machine.

# Set your project using gcloud CLI

gcloud config set project <project ID>

# Export the variables as below:

export PROJECT_ID=<YOUR_PROJECT_ID>  #add your GCP project ID
export SERVICE_ACCOUNT=<YOUR SERVICE ACCOUNT NAME> #add your GCP service account name
export GITHUB_REPO=<YOUR GITHUB REPO> (ex: account/repo)
export WORKLOAD_IDENTITY_POOL=github-IP #you can use same value or come up with your own
export WORKLOAD_IDENTITY_PROVIDER=github-WIP #you can use same value or come up with your own

# Create a service account in your GCP project using gcloud CLI command:

gcloud iam service-accounts create $SERVICE_ACCOUNT \
   --display-name="github to service account"

# Attach the roles to the service account for interaction:

I am binding only “roles/iam.serviceAccountUser”, you can attach roles depends on your requirement.

gcloud projects add-iam-policy-binding $PROJECT_ID \
   --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/iam.serviceAccountUser"

# Now let’s create a workload identity pool:

gcloud iam workload-identity-pools create $WORKLOAD_IDENTITY_POOL \
   --location="global" \
   --display-name="github"

# Create a workload identity provider:

gcloud iam workload-identity-pools providers create-oidc $WORKLOAD_IDENTITY_PROVIDER \
   --location="global" \
   --workload-identity-pool=$WORKLOAD_IDENTITY_POOL \
   --display-name="github provider" \
   --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
   --issuer-uri="https://token.actions.githubusercontent.com"

# Get your pool ID:

WORKLOAD_IDENTITY_POOL_ID=$(gcloud iam workload-identity-pools \
   describe $WORKLOAD_IDENTITY_POOL \
   --location="global" \
   --format="value(name)")

# Allowing authentication from the Workload Identity Provider originating from your repository:

gcloud iam service-accounts add-iam-policy-binding \
   $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com \
   --role="roles/iam.workloadIdentityUser" \
   --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${GITHUB_REPO}"

# Tired ??? ok ok enough with this CLI commands and run your final command to get the Workload Identity Provider resource name

WORKLOAD_IDENTITY_PROVIDER_LOCATION=$(gcloud iam workload-identity-pools providers \
   describe $WORKLOAD_IDENTITY_PROVIDER \
   --location="global" \
   --workload-identity-pool=$WORKLOAD_IDENTITY_POOL \
   --format="value(name)")

# Yo yo yo recover variables from our <T-E-R-M-I-N-A-L> lol

echo $WORKLOAD_IDENTITY_PROVIDER_LOCATION
(EX.,) projects/09084939382/locations/global/workloadIdentityPools/github-IP/providers/github-WIP
echo $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com
(EX.,) <SOME SERVICE ACCOUNT NAME>@<your project ID>.iam.gserviceaccount.com

Now what??? oh okay Github Actions!!!!!

# Create a simple workflow in your repo actions

GitHub Repo > Go to Actions > click on set up a workflow

Quickstart for GitHub Actions - GitHub Docs

You only need a GitHub repository to create and run a GitHub Actions workflow. In this guide, you'll add a workflow…

docs.github.com

# Replace the sample workflow file with below and click on start commit

name: GCP-GH
'on':
  #push:
    #branches: [ main ]
  #pull_request:
    #branches: [ main ]
  workflow_dispatch: null
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write

    steps:
      - uses: actions/checkout@v2
      - id: auth
        name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: "$WORKLOAD_IDENTITY_PROVIDER_LOCATION"
          # Replace with your Workload Identity Provider Location
          service_account: "$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com"
          # Replace with your Service Account

# Congratulations mate :), successfully authenticated GITHUB actions with GCP using workload identity

For Authenticating GITHUB actions to AWS using Identity Providers, please check the below:

Authenticate GITHUB actions to AWS using Identity Providers

Hey geeks!! Welcome Back :)

medium.com

Thanks for Reading !!!!

Follow for more updates :)

--

--

Satish Kumar
Satish Kumar

Written by Satish Kumar

16 Followers
4 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams