Using Open ID Connect to authenticate to GCP from GitHub
Note — if you’re here to find a repository with preconfigured code it can be found here.
I recently wrote an article on how to do this with AWS, but wanted to share how to do it in GCP too.
OpenID Connect is a layer on top of the OAuth2.0 protocol. I’m using it between GitHub and GCP to exchange information that ultimately results in a token being generated that GitHub can then exchange for temporary access using a service account.
The Open ID Connect provider in GCP is configured to access the GitHub URL, and includes an attribute to limit down the GitHub Organisation and Repository that can access it.
Once that’s created a service account that can be assumed by GitHub is required, along with appropriate permissions for the role to undertake the task you want within your account (for my demo I’ve just used owner).
Putting it all together….
To check it all works I’ve then used a GitHub Action to login to GCP using the google-github-actions action and deploy a pub/sub topic. I’ve created this resource using the gcloud cli for simplicity, however once logged in you’re free to deploy with whatever you want, you can run Terraform, Python whatever your deployment tool of choice is….
If you’re interesting in using Open ID Connect with GCP I’ve created a demo repository which uses Terraform to create the resources I’ve described above and has the GitHub action pipeline I’ve used to test. Instructions on how to use are in the readme. GitHub’s instructions on how to set this up can be found here.