You can configure Digger to use OIDC instead of key-value pairs.
If you already have configured GCP for that, skip to step 5.
A Workload Identity Pool is an umbrella entity for managing access in GCP. The best practice is to have a dedicated pool for each non-GCP environment.
A Workload Identity Provider links an external identity like Github with your Google Cloud account. This lets IAM use tokens from external providers to authorize access to Google Cloud resources.
A service account with relevant permissions will be impersonated by WIF. This allows Github action to impersonate the service account and get a token.
Create 2 secrets in your Action Secrets with the following names:
GCP_WORKLOAD_IDENTITY_PROVIDER
GCP_SERVICE_ACCOUNT
Set EXT
env var intead of the usual key pair. See oidc-gcp-example repo for more detail. Sample config below:
You can configure Digger to use OIDC instead of key-value pairs.
If you already have configured GCP for that, skip to step 5.
A Workload Identity Pool is an umbrella entity for managing access in GCP. The best practice is to have a dedicated pool for each non-GCP environment.
A Workload Identity Provider links an external identity like Github with your Google Cloud account. This lets IAM use tokens from external providers to authorize access to Google Cloud resources.
A service account with relevant permissions will be impersonated by WIF. This allows Github action to impersonate the service account and get a token.
Create 2 secrets in your Action Secrets with the following names:
GCP_WORKLOAD_IDENTITY_PROVIDER
GCP_SERVICE_ACCOUNT
Set EXT
env var intead of the usual key pair. See oidc-gcp-example repo for more detail. Sample config below: