September 5, 2025 - This configuration requires the following information that is specific to your GitHub account: <CONDITION>: The conditional access statement that restricts access to the specified repository and branch. The following example creates a workload identity provider named github-example.

# They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: List services in GCP on: pull_request: branches: - main permissions: id-token: write jobs: Get_OIDC_ID_token: runs-on: ubuntu-latest steps: - id: 'auth' name: 'Authenticate to GCP' uses: 'google-github-actions/auth@f1e2d3c4b5a6f7e8d9c0b1a2c3d4e5f6a7b8c9d0' with: create_credentials_file: 'true' workload_identity_provider: 'WORKLOAD-IDENTITY-PROVIDER' service_account: 'SERVICE-ACCOUNT' - id: 'gcloud' name: 'gcloud' run: |- gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" gcloud services list

Navigate to the Workload Identity Pools section in the Google Cloud Console and click on Create Pool. Provide a name for your pool, such as github-wif, and then proceed to create it.

However, not all Google Cloud resources support principalSet identities, and the resulting token has a maximum lifetime of 10 minutes. Please see the documentation for your Google Cloud service for more information. ... To generate OAuth 2.0 access tokens or ID tokens, you must provide a service account email, and the Workload Identity Pool must have roles/iam.workloadIdentityUser permissions on the target Google Cloud Service Account.

February 17, 2026 - # .github/workflows/deploy.yml name: Deploy to GCP on: push: branches: [main] # Required for OIDC token generation permissions: contents: read id-token: write jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # Authenticate to GCP using Workload Identity Federation - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: "projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider" service_account: "[email protected]" # Now you can use gcloud, gsutil, etc.

inputs = { workload_identity_pool_id = "gitlab-ci" workload_identity_pool_display_name = "gitlab-ci" workload_identity_pool_provider_id = "terraform" service_account_name = "gitlab-ci" service_account_display_name = "gitlab-ci" service_account_description = "service account for gitlab-ci" }

August 31, 2023 - Github OIDC Integration with GCP -Workload Identity Federation OpenID Connect, or OIDC in short, is an authentication extension on top of the well known OAuth 2.0 authorization standard. Where OAuth …

For further details on using the google-github-actions/auth action, see Setting up Workload Identity Federation. Edit your .gitlab-ci.yml file and add the following to the job configuration: job: variables: WORKLOAD_IDENTITY_PROJECT_NUMBER: PROJECT_NUMBER WORKLOAD_IDENTITY_POOL: POOL_ID WORKLOAD_IDENTITY_PROVIDER: PROVIDER_ID SERVICE_ACCOUNT: SERVICE_ACCOUNT_EMAIL GOOGLE_APPLICATION_CREDENTIALS: $CI_BUILDS_DIR/.workload_identity.wlconfig id_tokens: WORKLOAD_IDENTITY_TOKEN: aud: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_

February 16, 2026 - In this post, I will walk through the complete setup of workload identity federation between Microsoft Entra ID and GitHub Actions, from creating the app registration to configuring the GitHub workflow. The mechanism is based on OpenID Connect (OIDC) trust. Here is what happens when your GitHub Actions workflow runs: sequenceDiagram participant GH as GitHub Actions participant GHP as GitHub OIDC Provider participant Entra as Microsoft Entra ID participant AZ as Azure Resources GH->>GHP: Request OIDC token GHP->>GH: Issue short-lived JWT GH->>Entra: Exchange JWT for Azure access token Entra->>Entra: Validate JWT against federated credential Entra->>GH: Issue Azure access token GH->>AZ: Access resources with Azure token

4 days ago - The attribute-condition is a CEL expression that filters which tokens are even considered, and this is the single most important security control: it is how you prevent any GitHub repository on the internet from assuming your identity. gcloud iam workload-identity-pools providers create-oidc github-provider \ --location=global \ --workload-identity-pool=github-pool \ --display-name="GitHub OIDC provider" \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ --attribute-condition="assertion.repository_owner == 'your-org-name'"

June 29, 2024 - In the Workload Identity Pools section, select the pool you just created (e.g., github-actions-pool). Click Add provider.

Click “Create Identity Provider” to save the configuration. Navigate to IAM → Service Accounts in your Thalassa Cloud Console. Select the service account you want to configure for GitHub Actions federation. Click “Add Federated Identity” or “Workload Identity Federation”.

How to configure GitHub and Workload Identity Federation in GCP - config-gh-and-gcp.sh

December 7, 2021 - To use the new GitHub Actions auth action, you need to set up and configure Workload Identity Federation by creating a Workload Identity Pool and Workload Identity Provider:

January 30, 2025 - Here, we can also define an "Attribute Condition" which is recommended **to be more secure.** This condition specifies when the identity provider should be used based on GitHub repository attributes, for example, repository name, repository owner, actor, and others. We also set up the OIDC settings by providing the correct issuer URI. resource "google_iam_workload_identity_pool_provider" "github" { project = local.project_id workload_identity_pool_id = google_iam_workload_identity_pool.github_pool.workload_identity_pool_id workload_identity_pool_provider_id = "github-provider" attribute_mapping = { "attribute.aud" = "assertion.aud" "google.subject" = "assertion.sub" "attribute.sub" = "assertion.sub" "attribute.actor" = "assertion.actor" "attribute.repository" = "assertion.repository" "attribute.repository_owner" = "assertion.repository_owner" "attribute.ref" = "assertion.ref" }

February 4, 2025 - In your GitHub repository, go to Settings >> Secrets and Variables >> Actions. Create the first secret named WORKLOAD_IDENTITY_PROVIDER whose secret value is the name provided in the IMPORTANT STEP above.

July 7, 2023 - Mappings (GitHub repo → Terraform Cloud Workspace → Google Cloud Service Account → Google Cloud project ) app-repo-dev → app-ws-dev → app-sa-dev → dev-secmik · app-repo-prod → app-ws-prod → app-sa-prod → production-secmik ... In this scenario, we will create a separate workload identity pool to follow Google Cloud best practices which recommends having one-to-one mapping between external identity provider and workload identity pool to prevent subject collisions.

February 17, 2026 - GitHub issues a JWT that identifies the workflow, and GCP exchanges it for a short-lived access token. The identity pool is a container for external identity providers: # Create a Workload Identity Pool gcloud iam workload-identity-pools create "github-pool" \ --location="global" \ --display-name="GitHub Actions Pool" \ --description="Pool for GitHub Actions authentication" \ --project=my-project

First, configure a trust relationship between your user-assigned managed identity or application in Microsoft Entra ID and a GitHub repo in the Microsoft Entra admin center or using Microsoft Graph.