GCP Workload Identity Setup for GitHub Actions

GitHub Actions has become widely embraced as the preferred option for continuous integration and continuous delivery (CI/CD) platforms. In the past, service account keys were commonly used to automate software delivery to Google Cloud. However, concerns about accidental leaks linked to these keys have led numerous organizations to cease their usage.

In response to this issue, Google Cloud has introduced Workload Identity Federation, allowing for authentication without the need for keys from GitHub Actions. Although the setup process is generally straightforward, it’s not uncommon to face challenges during configuration.

In this article, I’ll present a simplified method for implementing GCP Workload Identity Federation for GitHub Actions using Terraform. I am biased towards Terraform. but, if you’re unfamiliar with Terraform and have no intention of delving into it, you can still follow these steps to activate GCP Workload Identity Federation in mere minutes.

Step 1: Setting Up Workload Identity Pool and Provider:
To kick off the process, the Terraform module handles the provisioning of two critical components: the Workload Identity Pool and the Workload Identity Provider. These components are pivotal in facilitating secure and keyless authentication from GitHub Actions to Google Cloud.

Step 2: Configuring Service Account and IAM Policies:
Following the initialization phase, the module proceeds to configure a service account equipped with the necessary IAM policies. This ensures the account possesses the requisite permissions to carry out tasks within your Google Cloud project.

Note: For simplicity, I assign the Editor role to the service account. However, this approach contradicts the principle of least privilege in security. Be sure to adjust the role accordingly based on your specific requirements.

Step 3: Generating the Workflow YAML File:
Upon completing the foundational setup, the Terraform module generates a workload.yaml file utilizing a customizable template (workflow.tpl). This resultant YAML file can be seamlessly copied to your GitHub repository and adjusted to accommodate your particular actions. While the template showcases the deployment of a Cloud Run service, it can be easily tailored to align with your unique needs.

Activating GCP Workload Identity Federation — A Few Easy Steps:

To initiate the process and enable GCP Workload Identity Federation for your GitHub Actions, adhere to the steps below:

1. Clone the Terraform module from the GitHub repository: https://github.com/nc-bnordha/gcp-workload-identity-github-actions
2. Modify the terraform.tfvars file to incorporate your Google Project ID and GitHub repository information.
3. Run the subsequent Terraform commands in Google Cloud Shell:

terraform init
terraform plan
terraform apply

Once generated, the workload.yaml file can be customized and transferred to your GitHub repository, initiating GCP Workload Identity Federation for your GitHub Actions.

With Terraform, establishing GCP Workload Identity Federation for GitHub Actions becomes a smooth and secure endeavor. Embrace this simple method to bolster the automation and security of your CI/CD workflows, regardless of your familiarity with Terraform. Begin today and witness the simplicity and effectiveness of this solution.

Ref:
1. Keyless authentication from GitHub Actions: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
2. Terraform Workload Identity module: https://github.com/nc-bnordha/gcp-workload-identity-github-actions