Skip to content
Latchkey

How to Authenticate to GCP With Workload Identity Federation in GitHub Actions

Workload Identity Federation lets the runner OIDC token mint short-lived GCP credentials, so you never store a service-account JSON key.

Grant the job id-token: write, then use google-github-actions/auth with a workload_identity_provider and service_account. The action exchanges the GitHub OIDC token for federated GCP access without a long-lived key.

Steps

  • Create a Workload Identity Pool and an OIDC provider for token.actions.githubusercontent.com.
  • Bind your GitHub repo to a service account with roles/iam.workloadIdentityUser.
  • Add permissions: id-token: write to the job.
  • Call google-github-actions/auth with the provider and service account.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - id: auth
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/123456789/locations/global/workloadIdentityPools/github/providers/my-repo
          service_account: deployer@my-project.iam.gserviceaccount.com
      - uses: google-github-actions/setup-gcloud@v2
      - run: gcloud projects describe my-project

Gotchas

  • Without id-token: write, the auth step fails with "the GitHub Action could not request an OIDC token".
  • Scope the provider attribute condition to your repo (e.g. assertion.repository) so other repos cannot impersonate the account.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →