Skip to content

Setting up OIDC Connect for GitHub and GCP

This document outlines the steps to configure OIDC (OpenID Connect) for secure authentication between GitHub Actions and Google Cloud Platform (GCP). This allows your GitHub Actions workflows to access GCP resources without storing long-lived service account keys.

GCP Configuration

To configure the OIDC identity provider in GCP, you will need to perform the following steps. For detailed instructions, refer to the GCP documentation.

  1. Create a new identity pool:
    * This pool will manage the identities from your GitHub repository.
    * In our case the pool id is github-opentofu-pool. To view this in GCP console(terraform-state project), go to IAM -> Workload Identity Federation -> "GitHub Actions identity Pool"

GCP_WORKLOAD_IDENTITY_POOL

  1. Configure the mapping and add conditions:
    * Define how GitHub's OIDC claims map to GCP's identity attributes.
    * Set conditions to restrict access based on repository owner, repository name, and branch.
    * In our case the provider name is my-repo.
    * The conditions are: assertion.repository_owner == 'majority-dev' && assertion.repository == 'majority-dev/dt-gcp-infrastructure' && assertion.ref == 'refs/heads/main'

OIDC_PROVIDER

  1. Connect the new pool to a service account:
    * Grant the service account the necessary permissions to access GCP resources.
    * In our case the service account is opentofu-github-svcacc@terraform-state-466caff6.iam.gserviceaccount.com
    * The GCP project is terraform-state.
    * The workload identity provider is projects/632304642337/locations/global/workloadIdentityPools/github-opentofu-pool/providers/my-repo

WorkLoad_IdentityPool_SA

GitHub Actions Workflow Configuration

To update your GitHub Actions workflows for OIDC, you will need to make two changes to your YAML:

  1. Add permissions settings for the token:
    * Grant the workflow permission to request an OIDC token.
  2. Use the google-github-actions/auth action to exchange the OIDC token (JWT) for a cloud access token:
    * This action handles the authentication process with GCP.

Example Workflow YAML

```yaml
permissions:
contents: read
id-token: write

jobs:
tofu_plan:
defaults:
run:
working-directory: ${{ inputs.working_directory }}

runs-on: stage-build-runners

steps:
  - name: Checkout code
    uses: actions/checkout@v4

  - name: GCP Auth
    id: gcp-auth
    uses: google-github-actions/auth@v2
    with:
      service_account: 'opentofu-github-svcacc@terraform-state-466caff6.iam.gserviceaccount.com'
      workload_identity_provider: 'projects/632304642337/locations/global/workloadIdentityPools/github-opentofu-pool/providers/my-repo'
      create_credentials_file: true # (optional)
  # Add your workflow steps that utilize GCP resources here.
  # Example: Terraform plan
  #- name: Terraform Plan
  #  run: terraform plan
  #  env:
  #    GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcp-auth.outputs.credentials_file_path }}