Skip to content

How to log into GCP via Github Actions

We use identity federation pools to connect to our GCP projects from Github Action workflows.

To sign in from a new repo you'll first need to add your repo name into github_actions_identity_federation in trially-infra

github_actions_identity_federation = GithubWorkloadIdentity(
    f"gh-actions-runner-{environment}",
    f"gh-actions-runner-{environment}",
    general_github_runner_sa.sa.name,
    [
        "trially-demo",
        "meltano-pipelines",
        "elt-ingest-pipelines",
        "elt-transform-pipelines",
        # ----> Add new repo here <-----
    ],
)

Once that is set up, you can simply add the following configuration blocks into your workflow file.

jobs:
  your-job-name:
    permissions:
      id-token: write
      contents: read

Setting id-token: write enables the workflow to authenticate securely with supported external services using GitHub's OIDC provider.

With contents: read, the workflow can perform operations that require reading the repository's code and files but cannot modify the repository (e.g., pushing changes, creating releases).

- id: auth
  name: Login to Google Cloud
  uses: google-github-actions/auth@v0.5.0
  with:
    token_format: access_token
    workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
    service_account: ${{ env.SERVICE_ACCOUNT }}

This block configures the GitHub Actions runner to impersonate a specified GCP service account, enabling subsequent steps in the workflow to securely access and manipulate GCP resources.