Created
September 9, 2022 07:47
-
-
Save sjeandeaux/84daa22d6a26020c63d85174eb654178 to your computer and use it in GitHub Desktop.
Github Action and Google Workload Identity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- id: auth | |
uses: google-github-actions/auth@v0.8.1 | |
with: | |
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
token_format: 'access_token' | |
- uses: 'docker/login-action@v1' | |
with: | |
registry: 'us-east1-docker.pkg.dev' | |
username: 'oauth2accesstoken' | |
password: '${{ steps.auth.outputs.access_token }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- id: auth | |
uses: google-github-actions/auth@v0.8.1 | |
with: | |
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
token_format: 'access_token' | |
- name: Helm login | |
run: | | |
echo '${{ steps.auth.outputs.access_token }}' \ | |
| helm registry login -u oauth2accesstoken --password-stdin https://us-east1-docker.pkg.dev | |
env: | |
HELM_EXPERIMENTAL_OCI: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
backend "gcs" {} | |
required_providers { | |
google = { | |
source = "google" | |
version = "4.35.0" | |
} | |
} | |
} | |
# Workload identity is still in beta | |
provider "google-beta" { | |
credentials = var.credentials | |
project = var.project_id | |
region = var.vpc_region | |
} | |
# Github | |
locals { | |
github_repositories = [ | |
{ | |
organization = "sjeandeaux" | |
repository = "me" | |
} | |
] | |
} | |
resource "google_service_account" "github_sa" { | |
account_id = "github-sa" | |
description = "Used by Github Actions to push images and artifacts to the registry." | |
disabled = "false" | |
display_name = "github-sa" | |
project = var.project_id | |
} | |
resource "google_project_iam_custom_role" "github_role" { | |
role_id = "github_role" | |
title = "Github Role" | |
description = "The required roles for Github" | |
# downloadArtifacts to check if the image/chart exists | |
# uploadArtifacts to update the image/chart | |
permissions = ["artifactregistry.repositories.downloadArtifacts", "artifactregistry.repositories.uploadArtifacts"] | |
project = var.project_id | |
} | |
resource "google_iam_workload_identity_pool" "pool" { | |
project = var.project_id | |
workload_identity_pool_id = "workload-identity-pool" | |
display_name = "workload identity pool" | |
description = "Identity pool for github action" | |
disabled = false | |
} | |
resource "google_iam_workload_identity_pool_provider" "github_action_provider" { | |
project = var.project_id | |
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id | |
workload_identity_pool_provider_id = "github-action-provider" | |
display_name = "Github Action Provider" | |
description = "Github identity pool provider for github action" | |
disabled = false | |
attribute_mapping = { | |
"google.subject" = "assertion.sub" | |
"attribute.repository" = "assertion.repository" | |
} | |
oidc { | |
issuer_uri = "https://token.actions.githubusercontent.com" | |
} | |
} | |
resource "google_service_account_iam_binding" "github_sa_iam" { | |
service_account_id = google_service_account.github_sa.name | |
role = "roles/iam.workloadIdentityUser" | |
members = [ | |
for repo in local.github_repositories : | |
"principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.pool.name}/attribute.repository/${repo.organization}/${repo.repository}" | |
] | |
} | |
resource "google_project_iam_member" "github_sa_member" { | |
project = var.project_id | |
role = google_project_iam_custom_role.github_role.id | |
member = "serviceAccount:github-sa@${var.project_id}.iam.gserviceaccount.com" | |
} | |
output "GCP_WORKLOAD_IDENTITY_PROVIDER" { | |
value = google_iam_workload_identity_pool_provider.github_action_provider.name | |
description = "It should be added to https://github.com/<organization>/<repository>/settings/secrets/actions/new" | |
} | |
output "GCP_SERVICE_ACCOUNT" { | |
value = google_service_account.github_sa.email | |
description = "It should be added to https://github.com/<organization>/<repository>/settings/secrets/actions/new" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment