Skip to content

Commit 3d8df9f

Browse files
sethvargosethvargo
committed
Add support for Direct Workload Identity auth
This adds a new authentication mode, Direct Workload Identity Federation. This new mode permits authenticating to Google Cloud directly using the GitHub Actions OIDC token instead of proxying through a Google Cloud Service Account.
1 parent f105ef0 commit 3d8df9f

24 files changed

+2074
-1243
lines changed

.eslintrc.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,4 +8,9 @@ module.exports = {
88
'plugin:@typescript-eslint/recommended',
99
'plugin:prettier/recommended',
1010
],
11+
12+
// We have many situations where we accept and expect arbitrary JSON payloads.
13+
rules: {
14+
'@typescript-eslint/no-explicit-any': 'off',
15+
},
1116
};

.github/workflows/test.yml

Lines changed: 83 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,13 @@ jobs:
4848
- name: 'npm test'
4949
run: 'npm run test'
5050

51-
credentials_json:
51+
52+
#
53+
# Direct Workload Identity Federation
54+
#
55+
direct_workload_identity_federation:
5256
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
53-
name: 'credentials_json'
57+
name: 'direct_workload_identity_federation'
5458
runs-on: '${{ matrix.os }}'
5559
strategy:
5660
fail-fast: false
@@ -60,6 +64,9 @@ jobs:
6064
- 'windows-latest'
6165
- 'macos-latest'
6266

67+
permissions:
68+
id-token: 'write'
69+
6370
steps:
6471
- uses: 'actions/checkout@v4'
6572

@@ -74,11 +81,60 @@ jobs:
7481
name: 'auth-default'
7582
uses: './'
7683
with:
77-
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
84+
project_id: '${{ vars.PROJECT_ID }}'
85+
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
86+
87+
- id: 'gcloud'
88+
name: 'gcloud'
89+
shell: 'bash'
90+
run: |-
91+
gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
92+
93+
- id: 'oauth-federated-token'
94+
name: 'oauth-federated-token'
95+
shell: 'bash'
96+
run: |-
97+
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-default.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
98+
--silent \
99+
--show-error \
100+
--fail \
101+
--header "Authorization: Bearer ${{ steps.auth-default.outputs.auth_token }}"
102+
103+
104+
#
105+
# Workload Identity Federation through a Service Account
106+
#
107+
workload_identity_federation_through_service_account:
108+
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
109+
name: 'workload_identity_federation_through_service_account'
110+
runs-on: '${{ matrix.os }}'
111+
strategy:
112+
fail-fast: false
113+
matrix:
114+
os:
115+
- 'ubuntu-latest'
116+
- 'windows-latest'
117+
- 'macos-latest'
118+
119+
permissions:
120+
id-token: 'write'
121+
122+
steps:
123+
- uses: 'actions/checkout@v4'
124+
125+
- uses: 'actions/setup-node@v4'
126+
with:
127+
node-version: '20.x'
128+
129+
- name: 'npm build'
130+
run: 'npm ci && npm run build'
78131

79-
- id: 'setup-gcloud'
80-
name: 'setup-gcloud'
81-
uses: 'google-github-actions/setup-gcloud@main'
132+
- id: 'auth-default'
133+
name: 'auth-default'
134+
uses: './'
135+
with:
136+
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
137+
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
82138

83139
- id: 'gcloud'
84140
name: 'gcloud'
@@ -90,11 +146,12 @@ jobs:
90146
name: 'auth-access-token'
91147
uses: './'
92148
with:
93-
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
149+
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
150+
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
94151
token_format: 'access_token'
95152

96-
- id: 'access-token'
97-
name: 'access-token'
153+
- id: 'oauth-token'
154+
name: 'oauth-token'
98155
shell: 'bash'
99156
run: |-
100157
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
@@ -103,27 +160,23 @@ jobs:
103160
--fail \
104161
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
105162
106-
- id: 'auth-id-token'
107-
name: 'auth-id-token'
163+
- id: 'id-token'
164+
name: 'id-token'
108165
uses: './'
109166
with:
110-
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
167+
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
168+
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
111169
token_format: 'id_token'
112170
id_token_audience: 'https://secretmanager.googleapis.com/'
113171
id_token_include_email: true
114172

115-
- id: 'auth-sa-retries'
116-
name: 'auth-sa-retries'
117-
uses: './'
118-
with:
119-
retries: '2'
120-
backoff: '200'
121-
backoff_limit: '1000'
122-
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
123173

124-
workload_identity_federation:
174+
#
175+
# Service Account Key JSON
176+
#
177+
credentials_json:
125178
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
126-
name: 'workload_identity_federation'
179+
name: 'credentials_json'
127180
runs-on: '${{ matrix.os }}'
128181
strategy:
129182
fail-fast: false
@@ -133,9 +186,6 @@ jobs:
133186
- 'windows-latest'
134187
- 'macos-latest'
135188

136-
permissions:
137-
id-token: 'write'
138-
139189
steps:
140190
- uses: 'actions/checkout@v4'
141191

@@ -150,12 +200,7 @@ jobs:
150200
name: 'auth-default'
151201
uses: './'
152202
with:
153-
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
154-
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
155-
156-
- id: 'setup-gcloud'
157-
name: 'setup-gcloud'
158-
uses: 'google-github-actions/setup-gcloud@main'
203+
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
159204

160205
- id: 'gcloud'
161206
name: 'gcloud'
@@ -167,8 +212,7 @@ jobs:
167212
name: 'auth-access-token'
168213
uses: './'
169214
with:
170-
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
171-
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
215+
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
172216
token_format: 'access_token'
173217

174218
- id: 'access-token'
@@ -185,26 +229,26 @@ jobs:
185229
name: 'auth-id-token'
186230
uses: './'
187231
with:
188-
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
189-
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
232+
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
190233
token_format: 'id_token'
191234
id_token_audience: 'https://secretmanager.googleapis.com/'
192235
id_token_include_email: true
193236

194-
- id: 'auth-wif-retries'
195-
name: 'auth-wif-retries'
237+
- id: 'auth-sa-retries'
238+
name: 'auth-sa-retries'
196239
uses: './'
197240
with:
198241
retries: '2'
199242
backoff: '200'
200243
backoff_limit: '1000'
201-
workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
202-
service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
244+
credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
203245

246+
#
204247
# This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
205248
# variable is shared with the container and that the path of the file is on
206249
# the shared filesystem with the container and that the USER for the container
207250
# has permissions to read the file.
251+
#
208252
docker:
209253
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
210254
name: 'docker'

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy