A GitHub Action for authenticating to Google Cloud.
Authenticate to Google Cloud from GitHub Actions
This GitHub Action authenticates to Google Cloud. It supports authentication via a Google Cloud Service Account Key JSON and authentication via [Workload Identity Federation][wif].
Workload Identity Federation is recommended over Service Account Keys as it obviates the need to export a long-lived credential and establishes a trust delegation relationship between a particular GitHub Actions workflow invocation and permissions on Google Cloud. There are three ways to set up this GitHub Action to authenticate to Google Cloud:
- (Preferred) Direct Workload Identity Federation
- Workload Identity Federation through a Service Account
- Service Account Key JSON
[!IMPORTANT]
The gsutil command will not use the credentials exported by this GitHub
Action. Customers should use gcloud storage instead.
**This is not an officially supported Google product, and it is not covered by a Google Cloud support contract. To report bugs or request features in a Google Cloud product, please contact Google Cloud support.**
Prerequisites
- Run the
actions/checkout@v7step before this action. Omitting the
auth will cause future steps to be
unable to authenticate.
- To create binaries, containers, pull requests, or other releases, add the
.gitignore, .dockerignore and similar files to prevent
accidentally committing credentials to your release artifact:
# Ignore generated credentials from google-github-actions/auth
gha-creds-*.json
- This action runs using Node 24. Use a runner
Usage
jobs:
job_id:
# Any runner supporting Node 20 or newer
runs-on: ubuntu-latest
# Add "id-token" with the intended permissions. permissions: contents: 'read' id-token: 'write'
steps: - uses: 'actions/checkout@v7'
- uses: 'google-github-actions/auth@v3' with: project_id: 'my-project' workloadidentityprovider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
[!NOTE]>
Changing the permissions block may remove some default permissions. See the
[permissions documentation][github-perms] for more information.
For more usage options, see the examples.
Inputs
Inputs: Workload Identity Federation
[!WARNING]>
This option is not supported by Firebase Admin
SDK. Use Service
Account Key JSON authentication instead.
[!WARNING]>
As of the time of this writing, the GitHub OIDC token expires in 5 minutes,
which means any derived credentials also expire in 5 minutes.
The following inputs are for authenticating to Google Cloud via Workload Identity Federation.
-
workloadidentityprovider: (Required) The full identifier of the Workload
projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
-
service_account: (Optional) Email address or unique identifier of the
my-service-account@my-project.iam.gserviceaccount.com
Without this input, the GitHub Action will use Direct Workload Identity Federation. If this input is provided, the GitHub Action will use Workload Identity Federation through a Service Account.
-
audience: (Optional) The value for the audience (aud) parameter in the
workloadidentityprovider, which is also the default value Google Cloud
expects for the audience parameter on the token.
Inputs: Service Account Key JSON
[!CAUTION]>
Service Account Key JSON credentials are long-lived credentials and must be
treated like a password.
The following inputs are for authenticating to Google Cloud via a Service Account Key JSON.
-
credentials_json: (Required) The Google Cloud Service Account Key JSON to
We advise minifying your JSON into a single line string before storing it in a GitHub Secret. When a GitHub Secret is used in a GitHub Actions workflow, each line of the secret is masked in log output. This can lead to aggressive sanitization of benign characters like curly braces ({}) and brackets ([]).
To generate access tokens or ID tokens using this service account, you must grant the underlying service account roles/iam.serviceAccountTokenCreator permissions on itself.
Inputs: Generating OAuth 2.0 access tokens
The following inputs are for generating OAuth 2.0 access tokens for authenticating to Google Cloud as an output for use in future steps in the workflow. These options only apply to access tokens generated by this action. By default, this action does not generate any tokens.
-
service_account: (Required) Email address or unique identifier of the
my-service-account@my-project.iam.gserviceaccount.com
-
tokenformat: (Required) This value must be"accesstoken"to generate
-
accesstokenlifetime: (Optional) Desired lifetime duration of the access
constraints/iam.allowServiceAccountCredentialLifetimeExtension
organization policy is enabled, in which case the maximum value is 12 hours.
-
accesstokenscopes: (Optional) List of OAuth 2.0 access scopes to be
https://www.googleapis.com/auth/cloud-platform
This can be specified as a comma-separated or newline-separated list.
-
accesstokensubject: (Optional) Email address of a user to impersonate
constraints/iam.allowServiceAccountCredentialLifetimeExtension
organization policy is enabled.
In order to support Domain-Wide Delegation via Workload Identity Federation, you must grant the external identity ("principalSet") roles/iam.serviceAccountTokenCreator in addition to roles/iam.workloadIdentityUser. The default Workload Identity setup will only grant the latter role. If you want to use this GitHub Action with Domain-Wide Delegation, you must manually add the "Service Account Token Creator" role onto the external identity.
You will also need to customize the accesstokenscopes value to correspond to the OAuth scopes required for the API(s) you will access.
Inputs: Generating ID tokens
The following inputs are for generating ID tokens for authenticating to Google Cloud as an output for use in future steps in the workflow. These options only apply to ID tokens generated by this action. By default, this action does not generate any tokens.
[!CAUTION]>
ID Tokens have a maximum lifetime of 10 minutes. This value cannot be changed.
-
service_account: (Required) Email address or unique identifier of the
my-service-account@my-project.iam.gserviceaccount.com
-
tokenformat: This value must be"idtoken"to generate ID tokens.
-
idtokenaudience: (Required) The audience for the generated ID Token.
-
idtokeninclude_email: (Optional) Optional parameter of whether to
Inputs: Miscellaneous
The following inputs are for controlling the behavior of this GitHub Actions, regardless of the authentication mechanism.
-
project_id: (Optional) Custom project ID to use for authentication and
-
createcredentialsfile: (Optional) If true, the action will securely
The credentials file is exported into $GITHUB_WORKSPACE, which makes it available to all future steps and filesystems (including Docker-based GitHub Actions). The file is automatically removed at the end of the job via a post action. In order to use exported credentials, you must add the actions/checkout step before calling auth. This is due to how GitHub Actions creates $GITHUB_WORKSPACE:
jobs:
job_id:
steps:
- uses: 'actions/checkout@v7' # Must come first!
- uses: 'google-github-actions/auth@v3'
-
exportenvironmentvariables: (Optional) If true, the action will export
- CLOUDSDK_PROJECT - CLOUDSDKCOREPROJECT - GCP_PROJECT - GCLOUD_PROJECT - GOOGLECLOUDPROJECT
If createcredentialsfile is true, additional environment variables are exported:
- CLOUDSDKAUTHCREDENTIALFILEOVERRIDE - GOOGLEAPPLICATIONCREDENTIALS - GOOGLEGHACREDS_PATH
If false, the action will not export any environment variables, meaning future steps are unlikely to be automatically authenticated to Google Cloud. The default value is true.
-
delegates: (Optional) List of additional service account emails or unique
-
universe: (Optional) The Google Cloud universe to use for constructing API
You can also override individual API endpoints by setting the environment variable GHAENDPOINTOVERRIDE_<endpoint> where endpoint is the API endpoint to override. This only applies to the auth action and does not persist to other steps. For example:
env:
GHAENDPOINTOVERRIDE_oauth2: 'https://oauth2.myapi.endpoint/v1'
-
requestreason: (Optional) An optional Reason Request System
-
cleanup_credentials: (Optional) If true, the action will remove any
Outputs
-
project_id: Provided or extracted value for the Google Cloud project ID.
-
credentialsfilepath: Path on the local filesystem where the generated
-
auth_token: The Google Cloud federated token (for Workload Identity
-
access_token: The Google Cloud access token for calling other Google Cloud
-
id_token: The Google Cloud ID token. This is only available when
Setup
This section describes the three configuration options:
- (Preferred) Direct Workload Identity Federation
- Workload Identity Federation through a Service Account
- Service Account Key JSON
[!IMPORTANT]>
It can take up to 5 minutes for Workload Identity Pools, Workload Identity
Providers, and IAM permissions to propagate. Please wait at least five minutes
and follow all Troubleshooting steps before opening
an issue.
(Preferred) Direct Workload Identity Federation
In this setup, the Workload Identity Pool has direct IAM permissions on Google Cloud resources; there are no intermediate service accounts or keys. This is preferred since it directly authenticates GitHub Actions to Google Cloud without a proxy resource. However, not all Google Cloud resources support principalSet identities, and the resulting token has a maximum lifetime of 10 minutes. Please see the documentation for your Google Cloud service for more information.
[!IMPORTANT]>
To generate OAuth 2.0 access tokens or ID tokens, you must provide a service
account email, and the Workload Identity Pool must have
roles/iam.workloadIdentityUser permissions on the target Google Cloud
Service Account. Follow the steps for Workload Identity Federation through a
Service Account instead.
Click here to show detailed instructions for configuring GitHub authentication to Google Cloud via a direct Workload Identity Federation.
These instructions use the [gcloud][gcloud] command-line tool.
- Create a Workload Identity Pool:
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam workload-identity-pools create "github" \ --project="${PROJECT_ID}" \ --location="global" \ --display-name="GitHub Actions Pool"
- Get the full ID of the Workload Identity Pool:
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam workload-identity-pools describe "github" \ --project="${PROJECT_ID}" \ --location="global" \ --format="value(name)"
This value should be of the format:
projects/123456789/locations/global/workloadIdentityPools/github
- Create a Workload Identity Provider in that pool:
# TODO: replace ${PROJECTID} and ${GITHUBORG} with your values below.
gcloud iam workload-identity-pools providers create-oidc "my-repo" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github" \ --display-name="My GitHub repo Provider" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repositoryowner=assertion.repositoryowner" \ --attribute-c \ --issuer-uri="https://token.actions.githubusercontent.com"
> โ๏ธ IMPORTANT You must map any claims in the incoming token to > attributes before you can assert on those attributes in a CEL expression > or IAM policy!
- Extract the Workload Identity Provider resource name:
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam workload-identity-pools providers describe "my-repo" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github" \ --format="value(name)"
Use this value as the workloadidentityprovider value in the GitHub Actions YAML:
- uses: 'google-github-actions/auth@v3'
with:
project_id: 'my-project'
workloadidentityprovider: '...' # "projects/123456789/locations/global/workloadIdentityPools/github/providers/my-repo"
> โ๏ธ IMPORTANT The project_id input is optional, but may be required > by downstream authentication systems such as the gcloud CLI. > Unfortunately we cannot extract the project ID from the Workload Identity > Provider, since it requires the project number. > > It is technically possible to convert a project number into a project > ID, but it requires permissions to call Cloud Resource Manager, and we > cannot guarantee that the Workload Identity Pool has those permissions.
- As needed, allow authentications from the Workload Identity Pool to Google
The following example shows granting access from a GitHub Action in a specific repository a secret in Google Secret Manager.
# TODO: replace ${PROJECTID}, ${WORKLOADIDENTITYPOOLID}, and ${REPO}
# with your values below.
#
# ${REPO} is the full repo name including the parent GitHub organization,
# such as "my-org/my-repo".
#
# ${WORKLOADIDENTITYPOOL_ID} is the full pool id, such as
# "projects/123456789/locations/global/workloadIdentityPools/github".
gcloud secrets add-iam-policy-binding "my-secret" \ --project="${PROJECT_ID}" \ --role="roles/secretmanager.secretAccessor" \ --member="principalSet://iam.googleapis.com/${WORKLOADIDENTITYPOOL_ID}/attribute.repository/${REPO}"
Review the [GitHub documentation][github-oidc] for a complete list of options and values. This GitHub repository does not seek to enumerate every possible combination.
Workload Identity Federation through a Service Account
In this setup, the Workload Identity Pool impersonates a Google Cloud Service Account which has IAM permissions on Google Cloud resources. This exchanges the GitHub Actions OIDC token with a Google Cloud OAuth 2.0 access token by granting GitHub Actions permissions to mint tokens for the given Service Account. Thus GitHub Actions inherits that Service Account's permissions by proxy.
Click here to show detailed instructions for configuring GitHub authentication to Google Cloud via a Workload Identity Federation through a Service Account.
These instructions use the [gcloud][gcloud] command-line tool.
- (Optional) Create a Google Cloud Service Account. If you already have a
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam service-accounts create "my-service-account" \ --project "${PROJECT_ID}"
- Create a Workload Identity Pool:
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam workload-identity-pools create "github" \ --project="${PROJECT_ID}" \ --location="global" \ --display-name="GitHub Actions Pool"
- Get the full ID of the Workload Identity Pool:
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam workload-identity-pools describe "github" \ --project="${PROJECT_ID}" \ --location="global" \ --format="value(name)"
This value should be of the format:
projects/123456789/locations/global/workloadIdentityPools/github
- Create a Workload Identity Provider in that pool:
# TODO: replace ${PROJECTID} and ${GITHUBORG} with your values below.
gcloud iam workload-identity-pools providers create-oidc "my-repo" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github" \ --display-name="My GitHub repo Provider" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repositoryowner=assertion.repositoryowner" \ --attribute-c \ --issuer-uri="https://token.actions.githubusercontent.com"
> โ๏ธ IMPORTANT You must map any claims in the incoming token to > attributes before you can assert on those attributes in a CEL expression > or IAM policy!
- Allow authentications from the Workload Identity Pool to your Google Cloud
# TODO: replace ${PROJECTID}, ${WORKLOADIDENTITYPOOLID}, and ${REPO}
# with your values below.
#
# ${REPO} is the full repo name including the parent GitHub organization,
# such as "my-org/my-repo".
#
# ${WORKLOADIDENTITYPOOL_ID} is the full pool id, such as
# "projects/123456789/locations/global/workloadIdentityPools/github".
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --project="${PROJECT_ID}" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/${WORKLOADIDENTITYPOOL_ID}/attribute.repository/${REPO}"
Review the [GitHub documentation][github-oidc] for a complete list of options and values. This GitHub repository does not seek to enumerate every possible combination.
- Extract the Workload Identity Provider resource name:
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam workload-identity-pools providers describe "my-repo" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github" \ --format="value(name)"
Use this value as the workloadidentityprovider value in the GitHub Actions YAML:
- uses: 'google-github-actions/auth@v3'
with:
service_account: '...' # my-service-account@my-project.iam.gserviceaccount.com
workloadidentityprovider: '...' # "projects/123456789/locations/global/workloadIdentityPools/github/providers/my-repo"
- As needed, grant the Google Cloud Service Account permissions to access
# TODO: replace ${PROJECT_ID} with your value below.
gcloud secrets add-iam-policy-binding "my-secret" \ --project="${PROJECT_ID}" \ --role="roles/secretmanager.secretAccessor" \ --member="serviceAccount:my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
Service Account Key JSON
In this setup, a Service Account has direct IAM permissions on Google Cloud resources. You download a Service Account Key JSON file and upload it to GitHub as a secret.
[!CAUTION]>
Google Cloud Service Account Key JSON files must be secured
and treated like a password. Anyone with access to the JSON key can
authenticate to Google Cloud as the underlying Service Account. By default,
these credentials never expire, which is why the former authentication options
are much preferred.
Click here to show detailed instructions for configuring GitHub authentication to Google Cloud via a Service Account Key JSON.
These instructions use the [gcloud][gcloud] command-line tool.
- (Optional) Create a Google Cloud Service Account. If you already have a
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam service-accounts create "my-service-account" \ --project "${PROJECT_ID}"
- Create a Service Account Key JSON for the Service Account.
# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam service-accounts keys create "key.json" \ --iam-account "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
- Upload the contents of this file as a GitHub Actions
Use the name of the GitHub Actions secret as the credentials_json value in the GitHub Actions YAML:
- uses: 'google-github-actions/auth@v3'
with:
credentialsjson: '${{ secrets.GOOGLECREDENTIALS }}' # Replace with the name of your GitHub Actions secret
[dwd]: https://developers.google.com/admin-sdk/directory/v1/guides/delegation [gcloud]: https://cloud.google.com/sdk [github-oidc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token [github-perms]: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions [map-external]: https://cloud.google.com/iam/docs/access-resources-oidc#impersonate [wif]: https://cloud.google.com/iam/docs/workload-identity-federation [security-considerations]: docs/SECURITY_CONSIDERATIONS.md