create and configure a workload identity provider for github

developer.hashicorp.com › hashicorp cloud platform › documentation › hashicorp cloud platform › service principals › workload identity federation › github

Federate workload identity with GitHub | HashiCorp Cloud Platform | HashiCorp Developer

September 5, 2025 - This configuration requires the following information that is specific to your GitHub account: <CONDITION>: The conditional access statement that restricts access to the specified repository and branch. The following example creates a workload identity provider named github-example.

GitHub

docs.github.com › en › actions › security-for-github-actions › security-hardening-your-deployments › configuring-openid-connect-in-google-cloud-platform

Configuring OpenID Connect in Google Cloud Platform - GitHub Docs

# They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: List services in GCP on: pull_request: branches: - main permissions: id-token: write jobs: Get_OIDC_ID_token: runs-on: ubuntu-latest steps: - id: 'auth' name: 'Authenticate to GCP' uses: 'google-github-actions/auth@f1e2d3c4b5a6f7e8d9c0b1a2c3d4e5f6a7b8c9d0' with: create_credentials_file: 'true' workload_identity_provider: 'WORKLOAD-IDENTITY-PROVIDER' service_account: 'SERVICE-ACCOUNT' - id: 'gcloud' name: 'gcloud' run: |- gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" gcloud services list

Videos

12:11

YouTube

Stop Struggling—The Easiest Way to Get Secure GCP Access from ...

December 13, 2024

25:40

YouTube

How to Setup Google Cloud Workload Identity Federation for GitHub ...

June 28, 2024

11:33

YouTube

How to use Github Actions with Google's Workload Identity Federation ...

firefly.ai › academy › setting-up-workload-identity-federation-between-github-actions-and-google-cloud-platform

Firefly | Setting Up Workload Identity Federation Between GitHub Actions and Google Cloud Platform

Navigate to the Workload Identity Pools section in the Google Cloud Console and click on Create Pool. Provide a name for your pool, such as github-wif, and then proceed to create it.

OneUptime

oneuptime.com › home › blog › set up workload identity federation for github actions to access gcp resources

Set Up Workload Identity Federation for GitHub Actions to Access GCP Resources

February 17, 2026 - # .github/workflows/deploy.yml name: Deploy to GCP on: push: branches: [main] # Required for OIDC token generation permissions: contents: read id-token: write jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # Authenticate to GCP using Workload Identity Federation - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: "projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider" service_account: "[email protected]" # Now you can use gcloud, gsutil, etc.

GitHub

github.com › google-github-actions › auth

GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud. · GitHub

However, not all Google Cloud resources support principalSet identities, and the resulting token has a maximum lifetime of 10 minutes. Please see the documentation for your Google Cloud service for more information. ... To generate OAuth 2.0 access tokens or ID tokens, you must provide a service account email, and the Workload Identity Pool must have roles/iam.workloadIdentityUser permissions on the target Google Cloud Service Account.

Starred by 1.3K users

Forked by 294 users

Languages TypeScript 98.8% | JavaScript 1.2%

Medium

medium.com › google-cloud › github-oidc-integration-with-gcp-workload-identity-federation-d75d91d4d7d8

Github OIDC Integration with GCP -Workload Identity Federation | by Jasbir Singh | Google Cloud - Community | Medium

August 31, 2023 - Github OIDC Integration with GCP -Workload Identity Federation OpenID Connect, or OIDC in short, is an authentication extension on top of the well known OAuth 2.0 authorization standard. Where OAuth …

Google Cloud

cloud.google.com › iam › identity and access management (iam) › configure workload identity federation with deployment pipelines

Configure Workload Identity Federation with deployment pipelines | Identity and Access Management (IAM) | Google Cloud Documentation

For further details on using the google-github-actions/auth action, see Setting up Workload Identity Federation. Edit your .gitlab-ci.yml file and add the following to the job configuration: job: variables: WORKLOAD_IDENTITY_PROJECT_NUMBER: PROJECT_NUMBER WORKLOAD_IDENTITY_POOL: POOL_ID WORKLOAD_IDENTITY_PROVIDER: PROVIDER_ID SERVICE_ACCOUNT: SERVICE_ACCOUNT_EMAIL GOOGLE_APPLICATION_CREDENTIALS: $CI_BUILDS_DIR/.workload_identity.wlconfig id_tokens: WORKLOAD_IDENTITY_TOKEN: aud: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_

Find elsewhere

Google Bing Mojeek

GitHub

github.com › ankitcharolia › workload-identity-federation

GitHub - ankitcharolia/workload-identity-federation: Configure OpenID Connect with GCP Workload Identity Federation · GitHub

inputs = { workload_identity_pool_id = "gitlab-ci" workload_identity_pool_display_name = "gitlab-ci" workload_identity_pool_provider_id = "terraform" service_account_name = "gitlab-ci" service_account_display_name = "gitlab-ci" service_account_description = "service account for gitlab-ci" }

Author ankitcharolia

OneUptime

oneuptime.com › home › blog › how to configure microsoft entra workload identity federation for github

How to Configure Microsoft Entra Workload Identity Federation for GitHub

February 16, 2026 - In this post, I will walk through the complete setup of workload identity federation between Microsoft Entra ID and GitHub Actions, from creating the app registration to configuring the GitHub workflow. The mechanism is based on OpenID Connect (OIDC) trust. Here is what happens when your GitHub Actions workflow runs: sequenceDiagram participant GH as GitHub Actions participant GHP as GitHub OIDC Provider participant Entra as Microsoft Entra ID participant AZ as Azure Resources GH->>GHP: Request OIDC token GHP->>GH: Issue short-lived JWT GH->>Entra: Exchange JWT for Azure access token Entra->>Entra: Validate JWT against federated credential Entra->>GH: Issue Azure access token GH->>AZ: Access resources with Azure token

ComputingForGeeks

computingforgeeks.com › home › set up gcp workload identity federation for github actions (2026)

GCP Workload Identity Federation for GitHub Actions (2026)

1 week ago - The attribute-condition is a CEL expression that filters which tokens are even considered, and this is the single most important security control: it is how you prevent any GitHub repository on the internet from assuming your identity. gcloud iam workload-identity-pools providers create-oidc github-provider \ --location=global \ --workload-identity-pool=github-pool \ --display-name="GitHub OIDC provider" \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ --attribute-condition="assertion.repository_owner == 'your-org-name'"

Thalassa

docs.thalassa.cloud › docs › iam › oidc › github-actions

Configuring Workload Identity Federation for GitHub Actions – Thalassa Cloud

Click “Create Identity Provider” to save the configuration. Navigate to IAM → Service Accounts in your Thalassa Cloud Console. Select the service account you want to configure for GitHub Actions federation. Click “Add Federated Identity” or “Workload Identity Federation”.

Medium

medium.com › google-cloud › how-to-setup-google-cloud-workload-identity-federation-for-github-actions-terraform-06e1b7b6791e

How to Setup Google Cloud Workload Identity Federation for GitHub Actions & Terraform | by Vishal Bulbule | Google Cloud - Community | Medium

June 29, 2024 - In the Workload Identity Pools section, select the pool you just created (e.g., github-actions-pool). Click Add provider.

Google Cloud

cloud.google.com › blog › products › identity-security › enabling-keyless-authentication-from-github-actions

Enabling keyless authentication from GitHub Actions | Google Cloud Blog

December 7, 2021 - To use the new GitHub Actions auth action, you need to set up and configure Workload Identity Federation by creating a Workload Identity Pool and Workload Identity Provider:

GitHub

gist.github.com › amasucci › 9db09bde6351ab39790f73b65b63d1c0

How to configure GitHub and Workload Identity Federation in GCP · GitHub

How to configure GitHub and Workload Identity Federation in GCP - config-gh-and-gcp.sh

Medium

medium.com › @carstensavage › integrate-workload-identity-federation-with-github-actions-google-cloud-1893306f75c5

Integrate Workload Identity Federation with GitHub Actions (Google Cloud) | by Carsten Savage | Medium

February 4, 2025 - In your GitHub repository, go to Settings >> Secrets and Variables >> Actions. Create the first secret named WORKLOAD_IDENTITY_PROVIDER whose secret value is the name provided in the IMPORTANT STEP above.

Google Cloud

cloud.google.com › blog › products › identity-security › secure-your-use-of-third-party-tools-with-identity-federation

Secure your use of third party tools with identity federation | Google Cloud Blog

July 7, 2023 - Mappings (GitHub repo → Terraform Cloud Workspace → Google Cloud Service Account → Google Cloud project ) app-repo-dev → app-ws-dev → app-sa-dev → dev-secmik · app-repo-prod → app-ws-prod → app-sa-prod → production-secmik ... In this scenario, we will create a separate workload identity pool to follow Google Cloud best practices which recommends having one-to-one mapping between external identity provider and workload identity pool to prevent subject collisions.

Microsoft Learn

learn.microsoft.com › en-us › entra › workload-id › workload-identity-federation

Workload Identity Federation - Microsoft Entra Workload ID | Microsoft Learn

First, configure a trust relationship between your user-assigned managed identity or application in Microsoft Entra ID and a GitHub repo in the Microsoft Entra admin center or using Microsoft Graph.

Stack Overflow

stackoverflow.com › questions › 78317643 › using-github-actions-to-authenticate-to-google-workload-identity-federation-for

Using GitHub Actions to authenticate to Google Workload Identity Federation for credentials to use in a Python script - Stack Overflow

Issue with Google Drive API Authentication using GitHub Actions

I created my workload identity pool according to the Google GitHub Actions Auth documentation without any service account. Then I tried to connect to Google Drive, which requires an OAuth 2.0 access token. I used the following configuration:

- name: Authenticate with Google Cloud
    uses: 'google-github-actions/auth@v2'
    with:
        project_id: 'my-project'
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'

- name: Upload files to Google Drive
    uses: 'Burak-Atak/drive-upload@master'
    with:
      google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
      files_to_create: "app.spec"
      drive_folder_id: "242fgdfg345345"
      files_to_update: "requirements.txt"
      file_ids_to_update: "asdas3534fdgg"

However, I got the following error with below code:

def authenticate_google(self):
    credentials, project_id = load_credentials_from_file(
        os.environ["GOOGLE_APPLICATION_CREDENTIALS"],
        scopes=[
            'https://www.googleapis.com/auth/drive.file',
            'https://www.googleapis.com/auth/drive',
            'https://www.googleapis.com/auth/drive.metadata'
        ]
    )

    return build("drive", "v3", credentials=credentials)

googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/upload/drive/v3/files?fields=id&alt=json&uploadType=multipart returned "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.". Details: "[{'message': 'Invalid Credentials', 'domain': 'global', 'reason': 'authError', 'location': 'Authorization', 'locationType': 'header'}]">

I realized I should use OAuth 2.0 for the Google Drive API. Then I changed my configuration to this:

- name: Authenticate with Google Cloud
  uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
    project_id: '<PROJECT_ID>'
    service_account: '<PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com'
    token_format: 'access_token'
    access_token_lifetime: '60s'
    access_token_scopes: 'https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.metadata'

- name: Upload files to Google Drive
    uses: 'Burak-Atak/drive-upload@master'
    with:
      google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
      files_to_create: "app.spec"
      drive_folder_id: "242fgdfg345345"
      files_to_update: "requirements.txt"
      file_ids_to_update: "asdas3534fdgg"

After this change, I started to get the following error even though I have the Service Account Token Creator and Owner roles in my service account:

google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for <PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

Solution

I figured out that I should add a service account to my workload pool. Check the "Connected service accounts" part in the Google Cloud Console. If there is no connected service account, you should add one.

Google

discuss.google.dev › google cloud › serverless applications

Use Github workflow to deploy to cloud run with workload identity provider without a service account - Serverless Applications - Google Developer forums

June 16, 2025 - I have set up a workload identity provider to use in my Github workflow gcloudExec "iam workload-identity-pools providers update-oidc \"github-actions2\" \ --project=\"${PROJECT_ID}\" \ --location=\"global\" \ --workload-identity-pool=\"github\" \ --display-name=\"GitHub repo provider\" \ --attribute-mapping=\"google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository\" \ --attribute-condition=\"assertion.repository=='gregclinker/sixtysix'...