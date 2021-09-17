



This GitHub action uses the Workload Identity Federation to exchange GitHub action OIDC tokens for Google Cloud access tokens. This eliminates the need to export long-lived Google Cloud service account keys and establishes a trust delegation between invoking a particular GitHub Actions workflow and Google Cloud permissions.

Previously create a Google Cloud service account and grant IAM permissions. Export a JSON service account key that is valid for a long time. Upload your JSON service account key to your GitHub secret. Use WorkloadIdentityFederation. Create a Google Cloud service account and grant IAM permissions. Create and configure Workload Identity. GitHub Provider Prerequisites for exchanging GitHub actions for OIDC tokens for short-lived Google Cloud access tokens This action requires you to create and configure a Google Cloud workload identity provider.look [#setup] For the procedure. Jobs used: Run: # … # Add “id-token” with the desired permissions.Permission: id-token: Write content: Read procedure: -id:’google-cloud-auth’ Name:’Authenticate to Google Cloud’ Use:’github.com/sethvargo/oidc-auth-google-cloud’ with: workload_identity_provider:’projects / 123456789 / locations / global / Workload IdentityPools / my-pool / providers / my-provider’ service_account:’[email protected]’ # Output usage example: -id:’access-secret’ run: | -curl https://secretmanager.googleapis.com/v1/projects/my-project/secrets/my-secret/versions/1:access –header “Authorization: Bearer” $ {{steps.integration.outputs.access_token}} “Enter

Workload_identity_provider: (Required) The full identifier of the workload identity provider, including the project number, pool name, and provider name. It must be a complete identifier that includes all parts. Here is an example:

projects / 123456789 / locations / global / WorkloadIdentityPools / my-pool / providers / my-provider

service_account: (Required) The email address or unique identifier of the Google Cloud service account that generates the credentials. for example:

[email protected]

Audience: (Optional) The value of the Audience (aud) parameter for the generated GitHub action OIDC token. Currently, the only valid value is “sigstore”, but this variable exists in case custom values ​​are allowed in the future. The default value is “sigstore”.

Delegate: (Optional) Email or list of unique IDs for additional service accounts to use for impersonation in the chain. By default, there are no delegates.

Lifetime: (Optional) The desired lifetime of the access token (in seconds). This should be specified as the number of seconds with an “s” at the end (for example, 30 seconds). The default value is 1 hour (3600 seconds).

Output settings

To exchange GitHub Actions OIDC tokens for Google Cloud access tokens, you need to create and configure a workload identity provider. These steps use the gcloud command line tool.

Create or use an existing Google Cloud project. You need privileges to create workload identity pools, workload identity providers, and manage service accounts and IAM permissions. Save the project ID as an environment variable. These remaining steps assume that this environment variable is set.

export PROJECT_ID = “my-project” # update with value

(Optional) Create a Google Cloud Service account. If you already have a service account, make a note of your email address and skip this step.

gcloud iam service-accounts create “my-service-account” –project “$ {PROJECT_ID}”

(Optional) Grant permissions to your Google Cloud service account to access Google Cloud resources. This procedure depends on your use case. For demonstration purposes, you can grant access to Google Secret Manager Secrets or Google Cloud Storage objects.

Create a workload identity pool.

gcloud iam Workload-identity-pools create “my-pool” –project = “$ {PROJECT_ID}” –location = “global” –display-name = “Demo pool”

Create a workload identity provider in that pool.

gcloud iamworkload-identity-pools provider create-oidc “my-provider” –project = “$ {PROJECT_ID}” –location = “global” –workload-identity-pool = “my-pool” – -display-name = “Demo Provider” –attribute-mapping = “google.subject = assertion.sub, attribute.actor = assertion.actor, attribute.aud = assertion.aud” –issuer-uri = “https //vstoken.actions.githubusercontent.com ” –allowed-audiences =” sigstore “Currently, GitHub allows only” sigstore “audiences. Attribute mapping maps GitHub Actions JWT claims to assertions that you can make about your request, such as the principal’s repository that calls the GitHub action or your GitHub username. These can be used to further limit authentication with the -attribute-condition flag.

Gets the full ID of the workload identity provider.

gcloud iamworkload-identity-pools Provider describes “my-provider” -project = “$ {PROJECT_ID}” –location = “global” –workload-identity-pool = “my-pool”

Pay attention to the name attribute. It has the following format:

projects / 123456789 / locations / global / WorkloadIdentityPools / my-pool / providers / my-provider

Save this value as an environment variable.

export WORKLOAD_IDENTITY_PROVIDER_ID = “…” # Value from above

Allows authentication from the workload identity provider to impersonate the service account created above.

Warning: This will allow access to all resources in the pool (all GitHub repositories). Instead, it is highly recommended to map to specific attributes such as actors and repository names. See Mapping External IDs for more information.

gcloud iam service-accounts add-iam-policy-binding “my-service-account @ $ {PROJECT_ID} .iam.gserviceaccount.com” –role = “roles / iam.workloadIdentityUser” –member = “principalSet: //iam.googleapis.com/${WORKLOAD_IDENTITY_PROVIDER_ID} / * ”

To map to a specific repository:

gcloud iam service-accounts add-iam-policy-binding “my-service-account @ $ {PROJECT_ID} .iam.gserviceaccount.com” –role = “roles / iam.workloadIdentityUser” –member = “principalSet: //iam.googleapis.com/${WORKLOAD_IDENTITY_PROVIDER_ID}/attribute.repo/my-repo ”

Use this GitHub action in your workload identity provider ID and service account email. The GitHub action creates a GitHub OIDC token and exchanges the GitHub token for a Google Cloud access token (if authentication is correct). All this is done without exporting the Google Cloud service account key JSON.

GitHub token format

The following is a sample GitHub token for reference to attribute mapping.

{“jti”: “…”, “sub”: “repo: username / reponame: ref: refs / heads / master”, “aud”: “sigstore”, “ref”: “refs / heads / master” , “Sha”: “d11880f4f451ee35192135525dc974c56a3c1b28”, “repository”: “username / reponame”, “repository_owner”: “reponame”, “run_id”: “1238222155”, “run_number”: “18”, “run_attempt”: “1” , “Actor”: “username”, “workflow”: “OIDC”, “head_ref”: “”, “base_ref”: “”, “event_name”: “push”, “ref_type”: “branch”, “job_workflow_ref” : “Username / reponame / .github / workflows / [email protected]/heads/master”, “iss”: “https://vstoken.actions.githubusercontent.com”, “nbf”: 1631718827, “exp”: 1631719727, “iat”: 1631719427}

