Authenticate with Google Workload Identity Federation / OpenID Connect #146
Comments
|
This is already supported as the auth writes the credentials file by default: - id: auth
uses: google-github-actions/auth@v0
with:
workload_identity_provider: <provider>
service_account: <service-account>
- uses: r0adkll/upload-google-play@v1
with:
serviceAccountJson: ${{ steps.auth.outputs.credentials_file_path }} |
|
I wonder if we can auto-detect when this is used? If not, there's probably no changes needed |
|
To detect if Google More detail on the above check - auth documentation states that by default several environment variables are exported by default including At a minimum it would be nice to have the above snippet from @StuClift documented. |
|
The google-github-actions/auth seems to set three environment variables with the credential file path: CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, GOOGLE_APPLICATION_CREDENTIALS and GOOGLE_GHA_CREDS_PATH. r0adkll/upload-google-play seems to set GOOGLE_APPLICATION_CREDENTIALS. This environment variable is used by the @googleapis/androidpublisher via the google-auth-library as the default credential. Reading on the documentation and source, I think instead of setting the GOOGLE_APPLICATION_CREDENTIALS environment variable, for That should support the google-github-actions/auth as well as any gcloud cli logins. Perhaps someone could run the GitHub runner on Google Cloud, so it might have also attached service accounts which would get supported. |
Please support authenticating with the Google recommended Workload Identity Federation instead of using a Cloud Service Account Key JSON secret text/file. Github supports it as OpenID Connect
Google has created a Github Action auth that establishes the authentication session with Google Cloud. We are now using this for our deployments to Google Cloud using the action setup-gcloud. It works great - no more secrets needed.
The text was updated successfully, but these errors were encountered: