How to Authenticate to Google Cloud via Workload Identity Federation in GitHub Actions
Workload Identity Federation trades the runner OIDC token for a short-lived Google access token, so no JSON key file is stored.
Configure a Workload Identity Pool and provider that trust GitHub, then use google-github-actions/auth with workload_identity_provider and service_account. No credentials_json is needed.
Steps
- Create a Workload Identity Pool and an OIDC provider for GitHub.
- Bind a service account to the pool with a
attribute.repositorycondition. - Add
permissions: id-token: writeto the job. - Use
google-github-actions/authwith the provider and service account.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gha/providers/gh
service_account: deployer@my-proj.iam.gserviceaccount.com
- uses: google-github-actions/setup-gcloud@v2
- run: gcloud storage lsGotchas
- The provider attribute condition (e.g.
assertion.repository) must match the pool binding or the exchange is rejected. - Downstream actions read the exported
GOOGLE_APPLICATION_CREDENTIALSfile the auth step writes.
Related guides
How to Assume an AWS Role With OIDC Instead of Static Keys in GitHub ActionsReplace long-lived AWS access keys in GitHub Actions with short-lived OIDC credentials by assuming an IAM rol…
How to Read GCP Secret Manager Secrets in GitHub ActionsFetch secrets from Google Cloud Secret Manager in GitHub Actions with google-github-actions/get-secretmanager…