If you already have configured GCP for that, skip to step 5.

1. Create a Workload Identity Pool

A Workload Identity Pool is an umbrella entity for managing access in GCP. The best practice is to have a dedicated pool for each non-GCP environment.

gcloud iam workload-identity-pools create github-wif-pool --location="global" --project

2. Create a Workload Identity Provider

A Workload Identity Provider links an external identity like Github with your Google Cloud account. This lets IAM use tokens from external providers to authorize access to Google Cloud resources.

gcloud iam workload-identity-pools providers create-oidc githubwif \
--location="global" --workload-identity-pool="github-wif-pool"  \
--issuer-uri="https://token.actions.githubusercontent.com" \
--attribute-mapping="attribute.actor=assertion.actor,google.subject=assertion.sub,attribute.repository=assertion.repository" \
--project

3. Create a Service Account and bind policies

A service account with relevant permissions will be impersonated by WIF. This allows Github action to impersonate the service account and get a token.

gcloud iam service-accounts create test-wif \
--display-name="Service account used by WIF POC" \
--project

gcloud projects add-iam-policy-binding  \
--member='serviceAccount:test-wif@.iam.gserviceaccount.com' \
--role="roles/compute.viewer"
gcloud iam service-accounts add-iam-policy-binding test-wif@.iam.gserviceaccount.com \
--project= \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools/github-wif-pool/attribute.repository/PradeepSingh1988/gcp-wif"

4. Add secrets to Github

Create 2 secrets in your Action Secrets with the following names:

  • GCP_WORKLOAD_IDENTITY_PROVIDER

  • GCP_SERVICE_ACCOUNT

5. Configure Digger workflow to use federated access

Set EXT env var intead of the usual key pair. See oidc-gcp-example repo for more detail. Sample config below:


  - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        token_format: access_token
        workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GCP_SERVICE_ACCOUNT }}
        audience: google-wif

    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'

    - name: 'Use gcloud CLI'
      run: |
        gcloud info
        gsutil ls gs://${{ env.GOOGLE_STORAGE_BUCKET }}
    - name: digger
      uses: diggerhq/digger@v0.4.13
      env:
        LOCK_PROVIDER: gcp
        GITHUB_CONTEXT: ${{ toJson(github) }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GOOGLE_STORAGE_BUCKET: digger-lock2

This article is based on this post by Pradeep Kumar Singh

Setting up GCP + GH ActionsStore plans in a Bucket