Skip to content
Latchkey

google-github-actions/auth: Authenticate to Google Cloud

auth authenticates your workflow to Google Cloud, ideally keyless via Workload Identity Federation.

The keyless path exchanges the GitHub OIDC token for short-lived GCP credentials through a Workload Identity Provider. A service-account key is the fallback.

Key inputs (with:)

  • workload_identity_provider: the WIF provider resource name.
  • service_account: the service account to impersonate.
  • credentials_json: a service-account key JSON (fallback).
  • token_format: access_token or id_token for later steps.

Example workflow (WIF)

.github/workflows/ci.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/123/locations/global/workloadIdentityPools/ci/providers/gh
          service_account: ci@my-project.iam.gserviceaccount.com
      - uses: google-github-actions/setup-gcloud@v2
      - run: gcloud storage cp ./dist gs://my-bucket --recursive

On any runner

This action runs on any runner. Latchkey managed runners run it unchanged.

Key takeaways

  • Prefer Workload Identity Federation over JSON keys.
  • WIF needs permissions: id-token: write.
  • Follow with setup-gcloud to get the gcloud CLI configured.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →