How to Authenticate to GCP With Workload Identity Federation in GitHub Actions
Workload Identity Federation lets the runner OIDC token mint short-lived GCP credentials, so you never store a service-account JSON key.
Grant the job id-token: write, then use google-github-actions/auth with a workload_identity_provider and service_account. The action exchanges the GitHub OIDC token for federated GCP access without a long-lived key.
Steps
- Create a Workload Identity Pool and an OIDC provider for
token.actions.githubusercontent.com. - Bind your GitHub repo to a service account with
roles/iam.workloadIdentityUser. - Add
permissions: id-token: writeto the job. - Call
google-github-actions/authwith the provider and service account.
Workflow
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/123456789/locations/global/workloadIdentityPools/github/providers/my-repo
service_account: deployer@my-project.iam.gserviceaccount.com
- uses: google-github-actions/setup-gcloud@v2
- run: gcloud projects describe my-projectGotchas
- Without
id-token: write, the auth step fails with "the GitHub Action could not request an OIDC token". - Scope the provider attribute condition to your repo (e.g.
assertion.repository) so other repos cannot impersonate the account.
Related guides
How to Deploy a Cloud Run Service With GitHub ActionsDeploy a prebuilt container image to Google Cloud Run from GitHub Actions using google-github-actions/deploy-…
How to Push a Container Image to Artifact Registry in GitHub ActionsBuild and push a Docker image to Google Artifact Registry from GitHub Actions, configuring Docker auth with g…