1. Create a Workload Identity Pool
A Workload Identity Pool is an umbrella entity for managing access in GCP. The best practice is to have a dedicated pool for each non-GCP environment.2. Create a Workload Identity Provider
A Workload Identity Provider links an external identity like Github with your Google Cloud account. This lets IAM use tokens from external providers to authorize access to Google Cloud resources.3. Create a Service Account and bind policies
A service account with relevant permissions will be impersonated by WIF. This allows Github action to impersonate the service account and get a token.4. Add secrets to Github
Create 2 secrets in your Action Secrets with the following names:- GCP_WORKLOAD_IDENTITY_PROVIDER
- GCP_SERVICE_ACCOUNT
5. Configure Digger workflow to use federated access
SetEXT
env var intead of the usual key pair. See oidc-gcp-example repo for more detail. Sample config below:
This article is based on this post by Pradeep Kumar Singh