You can configure Digger to use OIDC instead of key-value pairs.
gcloud iam workload-identity-pools create github-wif-pool --location="global" --project
gcloud iam workload-identity-pools providers create-oidc githubwif \ --location="global" --workload-identity-pool="github-wif-pool" \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="attribute.actor=assertion.actor,google.subject=assertion.sub,attribute.repository=assertion.repository" \ --project
gcloud iam service-accounts create test-wif \ --display-name="Service account used by WIF POC" \ --project gcloud projects add-iam-policy-binding \ --member='serviceAccount:test-wif@.iam.gserviceaccount.com' \ --role="roles/compute.viewer" gcloud iam service-accounts add-iam-policy-binding test-wif@.iam.gserviceaccount.com \ --project= \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools/github-wif-pool/attribute.repository/PradeepSingh1988/gcp-wif"
EXT
- id: 'auth' uses: 'google-github-actions/auth@v1' with: token_format: access_token workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ env.GCP_SERVICE_ACCOUNT }} audience: google-wif - name: 'Set up Cloud SDK' uses: 'google-github-actions/setup-gcloud@v1' - name: 'Use gcloud CLI' run: | gcloud info gsutil ls gs://${{ env.GOOGLE_STORAGE_BUCKET }} - name: digger uses: diggerhq/digger@vLatest env: LOCK_PROVIDER: gcp GITHUB_CONTEXT: ${{ toJson(github) }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOOGLE_STORAGE_BUCKET: digger-lock2
Was this page helpful?