Allow using Workload Identity Federation instead of Service Account JSON #9
Description
For the purpose of security hardening and giving customers more options to authenticate to their GCP projects, allow using a stronger method of authenticating with Google Cloud by using Workload Identity Federation instead of the less-secure Service Account JSON method.
Workload Identity Federation is recommended over Service Account Keys as it obviates the need to export a long-lived credential and establishes a trust delegation relationship between a particular GitHub Actions workflow invocation and permissions on Google Cloud.
Suggestion
Ideally, switch to using google-github-actions/auth instead for generating credentials. It supports both Service Account JSON OR Workload Identity Federation.
- id: auth
uses: 'google-github-actions/auth@v2'
with:
create_credentials_file: true
service_account: ${{ inputs.sa_email }}
workload_identity_provider: "projects/${{ inputs.project_id }}/locations/global/workloadIdentityPools/my-pool/providers/${{ inputs.wfi_pool_name }}"
One of the outputs when you specify create_credentials_file is:
credentials_file_path: Path on the local filesystem where the generated credentials file resides. This is only available if "create_credentials_file" was set to true.
That means you can use the output credentials_file_path instead for both Service Account JSON or via Workload Identity Federation.
It also outputs an auth_token that can be used but not sure this is compatible with the current CLI...
You'll need some if: logic for the auth based on whether the user wants to auth via service account JSON or workload identity federation, but it should be pretty straightforward 👍