OIDC GCP Integration

GCP OIDC GitHub Actions IAM Terraform Security
View on GitHub

Project Overview

The aim of this project is to demonstrate how to securely authenticate GitHub Actions workflows and Google Cloud Platform using OpenID Connect (OIDC) - courtesy of GCP's Workload Identity Federation. By leveraging OIDC, we eliminate the need for static service account keys and enhance security through dynamic, short-lived credentials.

Key Features

🔐 Keyless Authentication

Compared to using GCP service accounts with keys, OIDC provides secure authentication to GCP services without storing long-lived credentials as GitHub secrets.

🔄 Automated Setup

This project makes use of terraform modules for infrastructure provisioning, as well as for automated Workload Identity Federation setup and configuration.

📝 Infrastructure as Code

Complete IaC implementation using Terraform for reproducible and version-controlled infrastructure.

🛡️ Enhanced Security

Short-lived credentials and fine-grained IAM permissions for improved security posture.

Technical Implementation

1. Workload Identity Pool Setup

First, we create a Workload Identity Pool in GCP. This pool serves as a collection point for external identities and allows us to manage GitHub Actions authentication in a centralized way.

resource "google_iam_workload_identity_pool" "github_pool" {
  workload_identity_pool_id = "github-pool"
  display_name             = "GitHub Actions Pool"
  description             = "Identity pool for GitHub Actions OIDC"
}

2. Provider Configuration

Next, we configure the OIDC provider to establish trust between GitHub Actions and GCP. The attribute mapping ensures proper identity verification by matching GitHub's OIDC tokens with GCP's expected format.

resource "google_iam_workload_identity_pool_provider" "github_provider" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.github_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "github-provider"
  attribute_mapping                  = {
    "google.subject"       = "assertion.sub"
    "attribute.repository" = "assertion.repository"
  }
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }
}

3. Infrastructure Provisioning

Navigate to the terraform/ directory and execute the following commands to provision the infrastructure:

# Initialize Terraform and download providers
terraform init

# Review the infrastructure changes
terraform plan

# Apply the infrastructure changes
terraform apply

After successful application, Terraform will output three important values needed for GitHub Actions:

  • i. Workload Identity Provider URL
  • ii. Service Account Email
  • iii. Audience Value

4. GitHub Actions Configuration

Configure the following secrets in your GitHub repository settings using the Terraform outputs:

GCP_WORKLOAD_IDENTITY_PROVIDER

The full URL of your Workload Identity Provider, in the format:

projects/123456789/locations/global/workloadIdentityPools/github-pool/providers/github-provider

AUDIENCE

The audience value for the OIDC token, typically:

https://iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/github-pool/providers/github-provider

GCP_SERVICE_ACCOUNT

The email address of the service account:

github-actions@your-project.iam.gserviceaccount.com

5. GitHub Actions Workflow

Finally, configure the GitHub Actions workflow to use these secrets for authentication:

jobs:
  deploy:
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
      - uses: 'actions/checkout@v3'
      - uses: 'google-github-actions/auth@v1'
        with:
          workload_identity_provider: '${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}'
          service_account: '${{ secrets.GCP_SERVICE_ACCOUNT }}'
          audience: '${{ secrets.AUDIENCE }}'

Benefits & Outcomes