actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix readme

Browse Source
This commit is contained in:
Seth Vargo 2021-09-20 21:03:00 -04:00
parent ddb73aed67
commit 03500c2f23
No known key found for this signature in database
GPG Key ID: C921994F9C27E0FF
1 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -39,7 +39,7 @@ jobs:
steps: steps:
- id: 'google-cloud-auth' - id: 'google-cloud-auth'
name: 'Authenticate to Google Cloud' name: 'Authenticate to Google Cloud'
uses: 'github.com/sethvargo/oidc-auth-google-cloud' uses: 'sethvargo/oidc-auth-google-cloud@v0.2.0'
with: with:
token_format: 'access_token' token_format: 'access_token'
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@ -141,6 +141,13 @@ the [gcloud][gcloud] command-line tool.
purposes, you could grant access to a Google Secret Manager secret or Google purposes, you could grant access to a Google Secret Manager secret or Google
Cloud Storage object. Cloud Storage object.
1. Enable the IAM Credentials API:
```sh
gcloud services enable iamcredentials.googleapis.com \
--project "${PROJECT_ID}"
```
1. Create a Workload Identity Pool: 1. Create a Workload Identity Pool:
```sh ```sh
@ -150,6 +157,22 @@ the [gcloud][gcloud] command-line tool.
--display-name="Demo pool" --display-name="Demo pool"
``` ```
1. Get the full ID of the Workload Identity Pool:
```sh
gcloud iam workload-identity-pools describe "my-pool" \
--project="${PROJECT_ID}" \
--location="global" \
--format="value(name)"
```
Save this value as an environment variable:
```sh
export WORKLOAD_IDENTITY_POOL_ID="..." # value from above
```
1. Create a Workload Identity Provider in that pool: 1. Create a Workload Identity Provider in that pool:
```sh ```sh
@ -201,8 +224,9 @@ the [gcloud][gcloud] command-line tool.
```sh ```sh
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \ --role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_PROVIDER_ID}/*" --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/*"
``` ```
To map to a specific repository: To map to a specific repository:
@ -210,7 +234,7 @@ the [gcloud][gcloud] command-line tool.
```sh ```sh
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/iam.workloadIdentityUser" \ --role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_PROVIDER_ID}/attribute.repo/my-repo" --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/username/repo"
``` ```
1. Use this GitHub Action with the Workload Identity Provider ID and Service 1. Use this GitHub Action with the Workload Identity Provider ID and Service
@ -219,6 +243,9 @@ the [gcloud][gcloud] command-line tool.
is correct). This all happens without exporting a Google Cloud service is correct). This all happens without exporting a Google Cloud service
account key JSON! account key JSON!
Note: It can take **up to 5 minutes** from when you configure the Workload
Identity Pool mapping until the permissions are available.
## GitHub Token Format ## GitHub Token Format
Here is a sample GitHub Token for reference for attribute mappings: Here is a sample GitHub Token for reference for attribute mappings: