Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revisit how we authenticate with GCP in GHA #1672

Open
dcdenu4 opened this issue Oct 31, 2024 · 2 comments
Open

Revisit how we authenticate with GCP in GHA #1672

dcdenu4 opened this issue Oct 31, 2024 · 2 comments

Comments

@dcdenu4
Copy link
Member

dcdenu4 commented Oct 31, 2024

We are currently using a service account key from GCP to authenticate. Historically, given how our GHAs are set up for InVEST, each team member has copied those secrets over to their personal fork in order to develop and have the workflows pass there. There's a few issues with that general setup:

  • Service account keys are essentially long-lived passwords that are tedious to manage. Google often points people to better authentication methods that are more secure and less likely to cause security concerns.
  • Having secrets / keys copied into personal forks doesn't seem great. It's a hassle if a secret changes and needs to be updated and causes further risk exposure. If a team member ever left, they also would have those secrets still in their personal repo and if we felt like we needed to, we'd have to update our secrets.

One possible direction to take is using OpenID Connect (OIDC). This along with Google's Workload Identity Federation seem to provide a path towards more security and less maintenance. It appears that a lot of the permission checkpoints are handled on the GCP side.

@phargogh
Copy link
Member

phargogh commented Nov 6, 2024

It appears that we can also use OIDC to authenticate with PyPI from GHA: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi

@phargogh
Copy link
Member

The best instructions I have found relating to identity federation have been in the little collapsible sections of https://github.com/google-github-actions/auth?tab=readme-ov-file#preferred-direct-workload-identity-federation, which will walk you through the specific gcloud commands to set things up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants