Workload Identity Federation — Authenticate GitHub actions to Google Cloud

Prakash Singh
KPMG UK Engineering
3 min readMar 7, 2022
Photo by Jaye Haych on Unsplash

Traditionally GitHub authenticates to Google Cloud using the service account keys. This approach brings couple of concerns with it-

1- The JSON Key generated from service account needs to be stored physically in the GitHub secret.

2- It is an overhead to always keep the key secured.

3- There is no out of the box way for service account key rotation so if we rotate the keys periodically with some custom logic will have to update the key in the GitHub secret every time.

Workload Identity Federation Authentication Practice (the better way)

1- Create a Google Cloud service account and grant IAM permissions.

2- Create and configure a Workload Identity Provider for GitHub.

3- Exchange the GitHub Actions OIDC token for a short-lived Google Cloud access token

Benefits of this approach -

1- No need to store the service account key physically in the GitHub secret.

2- No need to implement any custom logic for periodic key rotation.

3- More secured and compact way for authentication.

How Workload Identity Federation Works -

  • GitHub Actions supports OpenID Connect (OIDC).
  • Provision a workload identity pool and a provider.
  • Map the service account with following identity platform admin role and workload identity impersonation policy.
  • In GitHub action introduce a new step “Authenticate to Google Cloud”.
  • Mention the complete path for identity provider.
GitHub Google Cloud Integration through OIDC (diagram source : link )

Setup Workload Identity Federation using Terraform -

There are two steps in this process -

1- Setup Identity Provider pool and impersonation of the service account -

resource "google_iam_workload_identity_pool" "pool" {   project = var.ci_runner_project_id   provider = google-beta   workload_identity_pool_id = "workload-pool-name"}resource "google_iam_workload_identity_pool_provider" "github_provider" {   project = var.ci_runner_project_id   provider = google-beta   workload_identity_pool_id =    google_iam_workload_identity_pool.pool.workload_identity_pool_id   workload_identity_pool_provider_id = "github-google-provider"   attribute_mapping = {      "google.subject" = "assertion.sub"      "attribute.actor" = "assertion.actor"      "attribute.aud" = "assertion.aud"      "attribute.repository" = "assertion.repository"   }   oidc {      issuer_uri = "https://token.actions.githubusercontent.com"   }}resource "google_service_account_iam_member" "github_oidc_repos" {   provider = google-beta   service_account_id = "projects/${var.ci_runner_project_id}/serviceAccounts/${var.ci_runner_sa_email}"   role = "roles/iam.workloadIdentityUser"   member = "principalSet://iam.googleapis.com/projects/${var.project_number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/attribute.repository/${var.repository_name}"}

2- Add OIDC authentication step in the GitHub action file -


jobs:
oidctestjob: name: Run Google Cloud Workload runs-on: ubuntu-latest permissions: contents: 'read' id-token: 'write' steps: - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v0' with: workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/workload-pool-name/providers/github-google-provider' service_account: 'service_account_name@project_id.iam.gserviceaccount.com' …… ……

Note: Adding permissions setting with id-token: write is required for the job to request for the OIDC token. read or none will not help.

Now you are all set to authenticate your #github repositories against #googlecloud using all new and improved method of #workloadidentityfederation using #terraform.

Please follow the article below to learn more about this -

--

--