If you already have configured GCP for that, skip to step 5.
1. Create a Workload Identity Pool
A Workload Identity Pool is an umbrella entity for managing access in GCP. The best practice is to have a dedicated pool for each non-GCP environment.
gcloud iam workload-identity-pools create github-wif-pool --location="global" --project
2. Create a Workload Identity Provider
A Workload Identity Provider links an external identity like Github with your Google Cloud account. This lets IAM use tokens from external providers to authorize access to Google Cloud resources.
gcloud iam workload-identity-pools providers create-oidc githubwif \
--location="global" --workload-identity-pool="github-wif-pool" \
--issuer-uri="https://token.actions.githubusercontent.com" \
--attribute-mapping="attribute.actor=assertion.actor,google.subject=assertion.sub,attribute.repository=assertion.repository" \
--project
3. Create a Service Account and bind policies
A service account with relevant permissions will be impersonated by WIF. This allows Github action to impersonate the service account and get a token.
gcloud iam service-accounts create test-wif \
--display-name="Service account used by WIF POC" \
--project
gcloud projects add-iam-policy-binding \
--member='serviceAccount:test-wif@.iam.gserviceaccount.com' \
--role="roles/compute.viewer"
gcloud iam service-accounts add-iam-policy-binding test-wif@.iam.gserviceaccount.com \
--project= \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools/github-wif-pool/attribute.repository/PradeepSingh1988/gcp-wif"
4. Add secrets to Github
Create 2 secrets in your Action Secrets with the following names:
Set EXT
env var instead of the usual key pair. See oidc-gcp-example repo for more detail. Sample config below:
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.GCP_SERVICE_ACCOUNT }}
audience: google-wif
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
- name: 'Use gcloud CLI'
run: |
gcloud info
gsutil ls gs://${{ env.GOOGLE_STORAGE_BUCKET }}
- name: digger
uses: diggerhq/digger@vLatest
env:
LOCK_PROVIDER: gcp
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOOGLE_STORAGE_BUCKET: digger-lock2
This article is based on this
post
by Pradeep Kumar Singh