Monday, May 20, 2024

Setting Up GitHub Actions with Google Cloud Workload Identity Federation

In this post, we'll walk you through integrating GitHub Actions with Google Cloud using Workload Identity Federation (WIF). This setup allows you to authenticate GitHub Actions to Google Cloud without using long-lived service account keys, improving security and manageability.

We'll use the following Terraform configurations and GitHub Actions workflow to achieve this:

Terraform Configuration

1. Configure Providers

Create a file to configure the required Google providers.

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "4.0.0"

provider "google" {
  project = var.project_id
  region  = var.region
  zone    =

provider "google-beta" {
  project = var.project_id
  region  = var.region
  zone    =

2. Define Variables

Create a file to define the variables required for your project.

variable "project_id" {
  default = ""

variable "project_number" {
  default = ""

variable "region" {
  default = ""

variable "sec_region" {
  default = ""

variable "sec_zone" {
  default = ""

variable "zone" {
  default = ""

3. Set Variable Values

Create a terraform.tfvars file to specify the values for the defined variables. Update your <PROJECT_ID> and <PROJECT_NO>

project_id = <PROJECT_ID>
project_number = <PROJECT_NO>
region     = "us-central1"
zone       = "us-central1-a"

sec_region = "us-west1"
sec_zone   = "us-west1-a"

4. Create a Service Account

Create a file to define the service account and its roles.

resource "google_service_account" "github_svc" {
  project      = var.project_id
  account_id   = "gcp-github-access"
  display_name = "Service Account - github-svc"

resource "google_project_iam_member" "github-access" {
  for_each = toset([
  role    = each.key
  project = var.project_id
  member  = "serviceAccount:${}"

5. Enable Required APIs and Configure Workload Identity Federation

Create a file to enable the necessary Google Cloud APIs and configure WIF. Update your <MY-USER-OR-COMPANY>/<MY-REPO-NAME>

resource "google_project_service" "wif_api" {
  for_each = toset([

  service            = each.value
  disable_on_destroy = false

module "gh_oidc" {

  depends_on = [resource.google_service_account.github_svc]

  source            = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
  version           = "v3.1.2" # Latest version
  project_id        = var.project_id
  pool_id           = "gh-identity-pool"
  pool_display_name = "Identity Pool"
  provider_id       = "gh-provider"
  sa_mapping = {
    (resource.google_service_account.github_svc.account_id) = {
      sa_name   =
      attribute = "*"

resource "google_service_account_iam_binding" "github_svc_binding" {
  depends_on = [module.gh_oidc]
  service_account_id =
  role               = "roles/iam.workloadIdentityUser"
  members = [  "principalSet://${var.project_number}/locations/global/workloadIdentityPools/gh-identity-pool/attribute.repository/<MY-USER-OR-COMPANY>/<MY-REPO-NAME>"

Apply the Terraform Configuration

Once you have all the Terraform configuration files ready, follow these steps to apply the configuration:

  • Initialize Terraform

terraform init

  • Validate the Configuration

terraform validate

  • Plan the Deployment

terraform plan

  • Apply the Configuration

terraform apply -auto-approve

GitHub Actions Workflow

Create a workflow file in your GitHub repository under .github/workflows/wif.yml to define the GitHub Actions workflow. Update your <PROJECT_ID> and <PROJECT_NO> 

name: GitHub Actions WIF

        type: choice
        default: dv
        description: "Select the Environment"
        required: true
          - dv

  POOL_ID: <POOL_ID>   #gh-identity-pool
  PROVIDER_ID: <PROVIDER_ID> #gh-provider
    runs-on: ubuntu-latest
      contents: 'read'
      id-token: 'write'

      - name: Checkout repository
        uses: actions/checkout@v3
      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v1'
          create_credentials_file: 'true'
          workload_identity_provider: 'projects/${{env.PROJECT_NO}}/locations/global/workloadIdentityPools/${{env.POOL_ID}}/providers/${{PROVIDER_ID}}'
          service_account: 'gcp-github-access@${{env.PROJECT_ID}}'

      - name: 'Set up Cloud SDK'
        uses: 'google-github-actions/setup-gcloud@v1'
          version: '>= 363.0.0'

      - name: Run gcloud commands
        run: |
          gcloud config set project ${{env.PROJECT_ID}}
          gcloud version 


By following this setup, you enable secure authentication between GitHub Actions and Google Cloud using Workload Identity Federation. This eliminates the need for long-lived service account keys, enhancing the security of your CI/CD pipelines.

Source Code

Here on GitHub.


No comments:

Post a Comment

Testing a Spring Boot 3.2.5 App from Top to Bottom: MySQL, Docker, Unit Tests, Integration Tests

In this comprehensive guide, we'll walk you through setting up a Spring Boot 3.2.5 application with a MySQL database using Docker Compos...