Skip to content
Latchkey

How to Authenticate to Google Cloud via Workload Identity Federation in GitHub Actions

Workload Identity Federation trades the runner OIDC token for a short-lived Google access token, so no JSON key file is stored.

Configure a Workload Identity Pool and provider that trust GitHub, then use google-github-actions/auth with workload_identity_provider and service_account. No credentials_json is needed.

Steps

  • Create a Workload Identity Pool and an OIDC provider for GitHub.
  • Bind a service account to the pool with a attribute.repository condition.
  • Add permissions: id-token: write to the job.
  • Use google-github-actions/auth with the provider and service account.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gha/providers/gh
          service_account: deployer@my-proj.iam.gserviceaccount.com
      - uses: google-github-actions/setup-gcloud@v2
      - run: gcloud storage ls

Gotchas

  • The provider attribute condition (e.g. assertion.repository) must match the pool binding or the exchange is rejected.
  • Downstream actions read the exported GOOGLE_APPLICATION_CREDENTIALS file the auth step writes.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →