What is keyless authentication, and why would you care?

Let’s say you want to run a full CI/CD flow directly from a GitHub action. As a final step in deployment, you may need to authenticate to Google Cloud to implement any changes to infrastructure and services. Since you don’t have a UI, authentication is usually done through a service account.

For example, when running either of the following two scenarios in GitHub Actions, you’ll need to provide credentials for Google Cloud Platform (GCP):

• Apply basic transitions with Terraform
• Make changes to your cloud service with gcloud cli

GCP provides a simple mechanism: download a service account key in JSON format, and offer it to any running client via GOOGLE_APPLICATION_CREDENTIALS environment variable.

This mechanism works, but it relies on long-lasting credibility. This works, but it is also insecure, because if exposed in any way, a third party would have access to everything the service account had access to, allowing the attacker to steal data and/or generally But enough time will be given to do some damage.

If you think you’ll see any attacks like this, think again! A motivated and skilled attacker can be far before triggering any alarms that will prompt you to investigate.

enter workload identity federation, This allows an external identity (aka, your GitHub principal) to be granted access to Google Cloud resources. Not only this Magical Without requiring any service key secrets, but also setting a token expiration of one hour – a very short window of attack.

OK, so now we know’Why?, Let’s move on’How,

Before you begin, you’ll need to decide on a few names and variables:

• $PROJECT: the identifier of your Google Cloud project (ie some-project-123,
• $NAME: The name was assigned to the identity pool (ie, my-identity-pool,
• $PROVIDER_NAME: The name was given to the identity provider (ie, my-provider,
• $SERVICE_ACCOUNT: The name of the service account user who has access to your project/resources
• $GITHUB_ORG: The GitHub organization that hosts your code
• $GITHUB_REPO: GitHub repository containing your code
• $PROJECT_NUMBER:recovered from Google Cloud, see below:

gcloud projects list \
--filter="project_id:$PROJECT" \
--format="get(project_number)"

Now, let’s configure GCP keyless authentication in five easy steps:

1. create an identity pool

gcloud iam workload-identity-pools create "$NAME" \
--project="$PROJECT" \
--location="global" \
--display-name="$NAME (or a description of your choosing)"

2. Create an Identity Provider

gcloud iam workload-identity-pools providers create-oidc "$PROVIDER_NAME" \
--project="$PROJECT" \
--location="global" \
--workload-identity-pool="$NAME" \
--display-name="$NAME (or a description of your choosing)" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"

As configured, this Identity Provider will allow your workflow to obtain OIDC tokens limited to the current (calling) repository – when it comes to security, always apply principle_of_least_privilege,

3. Bind the policy to your service account:

gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com" \
--project="$PROJECT" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$NAME/attribute.repository/$GITHUB_ORG/$GITHUB_REPO"

over GitHub Workflow Party:

4. You must give id-token permission for your job GITHUB_TOKENSo that the running workflow can read/write the OIDC token and interact with the Google Identity Provider.

This is easily accomplished by adding the following permissions block for your job (or entire workflow).

permissions:
contents: read
id-token: write

You will instead remove all defaults when specifying explicit permissions in GH workflows. That’s why youContent: Read” line.

5. Finally, use Google Authenticator GitHub Actions To retrieve the credentials you need for your job — all further steps in your job will be able to use them.

- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0.4.0'
with:
workload_identity_provider: 'projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$NAME/providers/$PROVIDER_NAME'
service_account: '$SERVICE_USER@$PROJECT.iam.gserviceaccount.com'

this much only!

Good luck with all your automation!