| title | shortTitle | intro | versions | type | topics | redirect_from | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configuring OpenID Connect in Google Cloud Platform |
OpenID Connect in Google Cloud Platform |
Use OpenID Connect within your workflows to authenticate with Google Cloud Platform. |
|
tutorial |
|
|
{% data reusables.actions.enterprise-github-hosted-runners %}
OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to access resources in Google Cloud Platform (GCP), without needing to store the GCP credentials as long-lived {% data variables.product.prodname_dotcom %} secrets.
This guide gives an overview of how to configure GCP to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the google-github-actions/auth action that uses tokens to authenticate to GCP and access resources.
{% data reusables.actions.oidc-link-to-intro %}
{% data reusables.actions.oidc-security-notice %}
{% data reusables.actions.oidc-on-ghecom %}
To configure the OIDC identity provider in GCP, you will need to perform the following configuration. For instructions on making these changes, refer to the GCP documentation.
- Create a new identity pool.
- Configure the mapping and add conditions.
- Connect the new pool to a service account.
Additional guidance for configuring the identity provider:
- For security hardening, make sure you've reviewed "AUTOTITLE." For an example, see "AUTOTITLE."
- For the service account to be available for configuration, it needs to be assigned to the
roles/iam.workloadIdentityUserrole. For more information, see the GCP documentation. - The Issuer URL to use: {% ifversion ghes %}
https://HOSTNAME/_services/token{% else %}https://token.actions.githubusercontent.com{% endif %}
To update your workflows for OIDC, you will need to make two changes to your YAML:
- Add permissions settings for the token.
- Use the
google-github-actions/authaction to exchange the OIDC token (JWT) for a cloud access token.
{% data reusables.actions.oidc-deployment-protection-rules %}
{% data reusables.actions.oidc-permissions-token %}
The google-github-actions/auth action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from GCP. For more information, see the GCP documentation.
This example has a job called Get_OIDC_ID_token that uses actions to request a list of services from GCP.
WORKLOAD-IDENTITY-PROVIDER: Replace this with the path to your identity provider in GCP. For example,projects/example-project-id/locations/global/workloadIdentityPools/name-of-pool/providers/name-of-providerSERVICE-ACCOUNT: Replace this with the name of your service account in GCP.
This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token for a Google Cloud access token, using Workload Identity Federation.
{% raw %}
name: List services in GCP
on:
pull_request:
branches:
- main
permissions:
id-token: write
jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
steps:
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/auth@f1e2d3c4b5a6f7e8d9c0b1a2c3d4e5f6a7b8c9d0'
with:
create_credentials_file: 'true'
workload_identity_provider: 'WORKLOAD-IDENTITY-PROVIDER'
service_account: 'SERVICE-ACCOUNT'
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud services list{% endraw %}
{% data reusables.actions.oidc-further-reading %}