google-github-actions/auth: Authenticate to Google Cloud
auth authenticates your workflow to Google Cloud, ideally keyless via Workload Identity Federation.
The keyless path exchanges the GitHub OIDC token for short-lived GCP credentials through a Workload Identity Provider. A service-account key is the fallback.
Key inputs (with:)
- workload_identity_provider: the WIF provider resource name.
- service_account: the service account to impersonate.
- credentials_json: a service-account key JSON (fallback).
- token_format: access_token or id_token for later steps.
Example workflow (WIF)
.github/workflows/ci.yml
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/123/locations/global/workloadIdentityPools/ci/providers/gh
service_account: ci@my-project.iam.gserviceaccount.com
- uses: google-github-actions/setup-gcloud@v2
- run: gcloud storage cp ./dist gs://my-bucket --recursiveOn any runner
This action runs on any runner. Latchkey managed runners run it unchanged.
Key takeaways
- Prefer Workload Identity Federation over JSON keys.
- WIF needs permissions: id-token: write.
- Follow with setup-gcloud to get the gcloud CLI configured.
Related guides
aws-actions/configure-aws-credentials: Auth to AWS in CIReference for aws-actions/configure-aws-credentials: assume an IAM role via OIDC (no static keys) and set AWS…
azure/login: Authenticate to Azure in CIReference for azure/login: sign in to Azure via OIDC federated credentials or a service principal so later st…
hashicorp/setup-terraform: Install Terraform in CIReference for hashicorp/setup-terraform: install a pinned Terraform version and optionally wrap commands to e…