Skip to content

Commit

Permalink
Add support for Direct Workload Identity auth
Browse files Browse the repository at this point in the history
This adds a new authentication mode, Direct Workload Identity Federation. This new mode permits authenticating to Google Cloud directly using the GitHub Actions OIDC token instead of proxying through a Google Cloud Service Account.
  • Loading branch information
sethvargo committed Nov 22, 2023
1 parent f105ef0 commit d605844
Show file tree
Hide file tree
Showing 14 changed files with 1,206 additions and 568 deletions.
99 changes: 70 additions & 29 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,12 @@ jobs:
- name: 'npm test'
run: 'npm run test'

credentials_json:
#
# Direct Workload Identity Federation
#
direct_workload_identity_federation:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
name: 'credentials_json'
name: 'direct_workload_identity_federation'
runs-on: '${{ matrix.os }}'
strategy:
fail-fast: false
Expand All @@ -60,6 +63,9 @@ jobs:
- 'windows-latest'
- 'macos-latest'

permissions:
id-token: 'write'

steps:
- uses: 'actions/checkout@v4'

Expand All @@ -74,7 +80,53 @@ jobs:
name: 'auth-default'
uses: './'
with:
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
project_id: '${{ vars.PROJECT_ID }}'
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
uses: 'google-github-actions/setup-gcloud@main'

- id: 'gcloud'
name: 'gcloud'
shell: 'bash'
run: |-
gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
#
# Workload Identity Federation through a Service Account
#
workload_identity_federation_through_service_account:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
name: 'workload_identity_federation_through_service_account'
runs-on: '${{ matrix.os }}'
strategy:
fail-fast: false
matrix:
os:
- 'ubuntu-latest'
- 'windows-latest'
- 'macos-latest'

permissions:
id-token: 'write'

steps:
- uses: 'actions/checkout@v4'

- uses: 'actions/setup-node@v4'
with:
node-version: '20.x'

- name: 'npm build'
run: 'npm ci && npm run build'

- id: 'auth-default'
name: 'auth-default'
uses: './'
with:
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
Expand All @@ -90,7 +142,8 @@ jobs:
name: 'auth-access-token'
uses: './'
with:
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
token_format: 'access_token'

- id: 'access-token'
Expand All @@ -107,23 +160,18 @@ jobs:
name: 'auth-id-token'
uses: './'
with:
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true

- id: 'auth-sa-retries'
name: 'auth-sa-retries'
uses: './'
with:
retries: '2'
backoff: '200'
backoff_limit: '1000'
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'

workload_identity_federation:
#
# Service Account Key JSON
#
credentials_json:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
name: 'workload_identity_federation'
name: 'credentials_json'
runs-on: '${{ matrix.os }}'
strategy:
fail-fast: false
Expand All @@ -133,9 +181,6 @@ jobs:
- 'windows-latest'
- 'macos-latest'

permissions:
id-token: 'write'

steps:
- uses: 'actions/checkout@v4'

Expand All @@ -150,8 +195,7 @@ jobs:
name: 'auth-default'
uses: './'
with:
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
Expand All @@ -167,8 +211,7 @@ jobs:
name: 'auth-access-token'
uses: './'
with:
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
token_format: 'access_token'

- id: 'access-token'
Expand All @@ -185,21 +228,19 @@ jobs:
name: 'auth-id-token'
uses: './'
with:
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true

- id: 'auth-wif-retries'
name: 'auth-wif-retries'
- id: 'auth-sa-retries'
name: 'auth-sa-retries'
uses: './'
with:
retries: '2'
backoff: '200'
backoff_limit: '1000'
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'

# This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
# variable is shared with the container and that the path of the file is on
Expand Down
Loading

0 comments on commit d605844

Please sign in to comment.