-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add guide for using workload identity federation #349
base: main
Are you sure you want to change the base?
Conversation
- uses: actions/checkout@v2 | ||
|
||
# Add these two steps to generate the credential to use with the `action-hosting-deploy` action. | ||
- name: Prepare Google Cloud authentication |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This step seems to be missing id: auth
otherwise I think ${{ steps.auth.outputs.credentials_file_path }}
won't work below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Prepare Google Cloud authentication | |
- name: Prepare Google Cloud authentication | |
id: auth |
create_credentials_file: true | ||
- name: Get federated identity credentials file | ||
run: | | ||
echo "SERVICE_ACCOUNT_KEY=$(cat "${{ steps.auth.outputs.credentials_file_path }}" | tr -d '\n')" >> $GITHUB_ENV |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI this will silently fail if ${{ steps.auth.outputs.credentials_file_path }}
resolves to something invalid oder to ''
.
uses: 'google-github-actions/auth@v2' | ||
with: | ||
service_account: 'service-account@your-project.iam.gserviceaccount.com' | ||
workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-your-org' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-your-org' | |
workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-your-org' | |
token_format: 'access_token' | |
access_token_scopes: 'email,openid,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/firebase,https://www.googleapis.com/auth/cloud-platform' |
This is what we are using 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if all of the scopes are strictly necessary
Adds the current workaround for using workload identity federation so people more easily are able to find it and use security best practices.
Partially addresses #174