Inspired by this PR
Overview:
This guide explains how to configure Workload Identity Federation for GitHub Actions to authenticate with Google Cloud using OIDC tokens instead of service account keys.
Prerequisites:
Ensure you have a GCP project with IAM admin permissions.
Enable IAM Credentials API:
gcloud services enable iamcredentials.googleapis.com --project="<PROJECT_ID>"
Steps:
Step 1: Create a Workload Identity Pool
Create a pool to represent external identities (GitHub) exchanging OIDC tokens for Google credentials:
PROJECT_ID="cody-core-dev"
gcloud iam workload-identity-pools create "github" \\\\
--project="$PROJECT_ID" \\\\
--location="global" \\\\
--display-name="GitHub Actions Pool"
Step 2: Retrieve the Workload Identity Pool ID
Get the pool’s fully qualified name:
gcloud iam workload-identity-pools describe "github" \\\\
--project="$PROJECT_ID" \\\\
--location="global" \\\\
--format="value(name)"
Record this as WORKLOAD_IDENTITY_POOL_ID.
Step 3: Create a Workload Identity Provider
Create a provider to map GitHub’s OIDC tokens to attributes usable by Google Cloud:
GITHUB_ORG="sourcegraph"
PROVIDER_ID="cody"
gcloud iam workload-identity-pools providers create-oidc "$PROVIDER_ID" \\\\
--project="$PROJECT_ID" \\\\
--location="global" \\\\
--workload-identity-pool="github" \\\\
--display-name="GitHub Repo Provider" \\\\
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \\\\
--attribute-condition="assertion.repository_owner == '$GITHUB_ORG'" \\\\
--issuer-uri="<https://token.actions.githubusercontent.com>"
Step 4: Extract the Provider Resource Name
Retrieve the provider’s fully qualified name:
gcloud iam workload-identity-pools providers describe "$PROVIDER_ID" \\\\
--project="$PROJECT_ID" \\\\
--location="global" \\\\
--workload-identity-pool="github" \\\\
--format="value(name)"