# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: 'Authenticate to Google Cloud' author: 'Google LLC' description: |- Generate credentials to authenticate to Google Cloud from GitHub Actions using an OIDC token and Workload Identity Federation. inputs: workload_identity_provider: description: |- The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name. This must be the full identifier which includes all parts, for example: "projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider". required: true service_account: description: |- Email address or unique identifier of the Google Cloud service account for which to generate credentials. required: true audience: description: |- The value for the audience (aud) parameter in GitHub's generated OIDC token. This value defaults to the value of workload_identity_provider, which is also the default value Google Cloud expects for the audience parameter on the token. default: '' required: false create_credentials_file: description: |- If true, the action will securely generate a credentials file which can be used for authentication via gcloud and Google Cloud SDKs. default: false required: false activate_credentials_file: description: |- If true and create_credentials_file is also true, this will set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path to the credentials file, which gcloud and Google Cloud SDKs automatically consume. default: true required: false token_format: description: |- Output format for the generated authentication token. For OAuth 2.0 access tokens, specify "access_token". For OIDC tokens, specify "id_token". To skip token generation, leave this value empty. default: '' required: false delegates: description: |- List of additional service account emails or unique identities to use for impersonation in the chain. default: '' required: false # access token params access_token_lifetime: description: |- Desired lifetime duration of the access token, in seconds. This must be specified as the number of seconds with a trailing "s" (e.g. 30s). This is only valid when "token_format" is "access_token". default: '3600s' required: false access_token_scopes: description: |- List of OAuth 2.0 access scopes to be included in the generated token. This is only valid when "token_format" is "access_token". default: 'https://www.googleapis.com/auth/cloud-platform' required: false # id token params id_token_audience: description: |- The audience (aud) for the generated Google Cloud ID Token. This is only valid when "token_format" is "id_token". default: '' required: false id_token_include_email: description: |- Optional parameter of whether to include the service account email in the generated token. If true, the token will contain "email" and "email_verified" claims. This is only valid when "token_format" is "id_token". default: false required: false outputs: credentials_file_path: description: |- Path on the local filesystem where the generated credentials file resides. This is only available if "create_credentials_file" was set to true. access_token: description: |- The Google Cloud access token for calling other Google Cloud APIs. This is only available when "token_format" is "access_token". access_token_expiration: description: |- The RFC3339 UTC "Zulu" format timestamp for the access token. This is only available when "token_format" is "access_token". id_token: description: |- The Google Cloud ID token. This is only available when "token_format" is "id_token". branding: icon: 'lock' color: 'blue' runs: using: 'node12' main: 'dist/index.js'