actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
f3c3e206c9
auth/action.yml
Seth Vargo f3c3e206c9
Default audience to the WIF provider ID (#23)
2021-10-04 09:14:08 -07:00

126 lines
4.5 KiB
YAML
Raw Blame History

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: 'Authenticate to Google Cloud'
author: 'Google LLC'
description: |-
Generate credentials to authenticate to Google Cloud from GitHub Actions using
an OIDC token and Workload Identity Federation.
inputs:
workload_identity_provider:
description: |-
The full identifier of the Workload Identity Provider, including the
project number, pool name, and provider name. This must be the full
identifier which includes all parts, for example:
"projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider".
required: true
service_account:
description: |-
Email address or unique identifier of the Google Cloud service account for
which to generate credentials.
required: true
audience:
description: |-
The value for the audience (aud) parameter in GitHub's generated OIDC
token. This value defaults to the value of workload_identity_provider,
which is also the default value Google Cloud expects for the audience
parameter on the token.
default: ''
required: false
create_credentials_file:
description: |-
If true, the action will securely generate a credentials file which can be
used for authentication via gcloud and Google Cloud SDKs.
default: false
required: false
activate_credentials_file:
description: |-
If true and create_credentials_file is also true, this will set the
GOOGLE_APPLICATION_CREDENTIALS environment variable to the path to the
credentials file, which gcloud and Google Cloud SDKs automatically
consume.
default: true
required: false
token_format:
description: |-
Output format for the generated authentication token. For OAuth 2.0 access
tokens, specify "access_token". For OIDC tokens, specify "id_token". To
skip token generation, leave this value empty.
default: ''
required: false
delegates:
description: |-
List of additional service account emails or unique identities to use for
impersonation in the chain.
default: ''
required: false
# access token params
access_token_lifetime:
description: |-
Desired lifetime duration of the access token, in seconds. This must be
specified as the number of seconds with a trailing "s" (e.g. 30s). This is
only valid when "token_format" is "access_token".
default: '3600s'
required: false
access_token_scopes:
description: |-
List of OAuth 2.0 access scopes to be included in the generated token.
This is only valid when "token_format" is "access_token".
default: 'https://www.googleapis.com/auth/cloud-platform'
required: false
# id token params
id_token_audience:
description: |-
The audience (aud) for the generated Google Cloud ID Token. This is only
valid when "token_format" is "id_token".
default: ''
required: false
id_token_include_email:
description: |-
Optional parameter of whether to include the service account email in the
generated token. If true, the token will contain "email" and
"email_verified" claims. This is only valid when "token_format" is
"id_token".
default: false
required: false
outputs:
credentials_file_path:
description: |-
Path on the local filesystem where the generated credentials file resides.
This is only available if "create_credentials_file" was set to true.
access_token:
description: |-
The Google Cloud access token for calling other Google Cloud APIs. This is
only available when "token_format" is "access_token".
access_token_expiration:
description: |-
The RFC3339 UTC "Zulu" format timestamp for the access token. This is only
available when "token_format" is "access_token".
id_token:
description: |-
The Google Cloud ID token. This is only available when "token_format" is
"id_token".
branding:
icon: 'lock'
color: 'blue'
runs:
using: 'node12'
main: 'dist/index.js'
Reference in New Issue View Git Blame Copy Permalink