Issue with Google Drive API Authentication using GitHub Actions
I created my workload identity pool according to the Google GitHub Actions Auth documentation without any service account. Then I tried to connect to Google Drive, which requires an OAuth 2.0 access token. I used the following configuration:
- name: Authenticate with Google Cloud
uses: 'google-github-actions/auth@v2'
with:
project_id: 'my-project'
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
- name: Upload files to Google Drive
uses: 'Burak-Atak/drive-upload@master'
with:
google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
files_to_create: "app.spec"
drive_folder_id: "242fgdfg345345"
files_to_update: "requirements.txt"
file_ids_to_update: "asdas3534fdgg"
However, I got the following error with below code:
def authenticate_google(self):
credentials, project_id = load_credentials_from_file(
os.environ["GOOGLE_APPLICATION_CREDENTIALS"],
scopes=[
'https://www.googleapis.com/auth/drive.file',
'https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/drive.metadata'
]
)
return build("drive", "v3", credentials=credentials)
googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/upload/drive/v3/files?fields=id&alt=json&uploadType=multipart returned "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.". Details: "[{'message': 'Invalid Credentials', 'domain': 'global', 'reason': 'authError', 'location': 'Authorization', 'locationType': 'header'}]">
I realized I should use OAuth 2.0 for the Google Drive API. Then I changed my configuration to this:
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
project_id: '<PROJECT_ID>'
service_account: '<PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com'
token_format: 'access_token'
access_token_lifetime: '60s'
access_token_scopes: 'https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.metadata'
- name: Upload files to Google Drive
uses: 'Burak-Atak/drive-upload@master'
with:
google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
files_to_create: "app.spec"
drive_folder_id: "242fgdfg345345"
files_to_update: "requirements.txt"
file_ids_to_update: "asdas3534fdgg"
After this change, I started to get the following error even though I have the Service Account Token Creator and Owner roles in my service account:
google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for <PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
Solution
I figured out that I should add a service account to my workload pool. Check the "Connected service accounts" part in the Google Cloud Console. If there is no connected service account, you should add one.
DevOps.dev
blog.devops.dev › gcp-workload-identity-federation-1a0be28722d4
GCP Workload Identity Federation. Google Cloud Platform (GCP) offers a… | by Mohamed Rasvi | DevOps.dev
May 15, 2025 - In the GCP Console, go to IAM & Admin > Workload Identity Federation. Create a pool named github-cicd-pool. ... gcloud iam workload-identity-pools create github-cicd-pool \ --location="global" \ --display-name="GitHub CI/CD Pool" ...
Google Cloud
cloud.google.com › blog › products › identity-security › enabling-keyless-authentication-from-github-actions
Enabling keyless authentication from GitHub Actions | Google Cloud Blog
December 7, 2021 - But now, with GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key.
Using GitHub Actions to authenticate to Google Workload Identity Federation for credentials to use in a Python script - Stack Overflow
0 Permission Issues When Creating GCP Projects with GitHub Actions and Workload Identity Federation More on stackoverflow.com
Interaction between 'delegates' and Workload Identity Federation
Hello, I'm having a hard time understanding how to create a delegation chain to impersonate a service account using this Github Action. Here is my workflow. In GCP project MY_PROJECT, I have 2 ... More on github.com
3
October 12, 2023How to set up Workload Identity Federation to securely authorize Github Actions workflows to manage Google Cloud resources
How does it work from inside the worker? Let's say I want to initialize gcloud, where do I get credentials? More on reddit.com
11
8
February 22, 2025Make GCP Workload Identity work with act
Act version 0.2.60 Feature description GCP Recommends not to use a Service account, and we are trying to implement workload identity. steps: - uses: actions/checkout@v4 - name: "Authenticate t... More on github.com
2
March 27, 2024Videos
12:11
Stop Struggling—The Easiest Way to Get Secure GCP Access from ...
25:40
How to Setup Google Cloud Workload Identity Federation for GitHub ...
11:33
How to use Github Actions with Google's Workload Identity Federation ...
Access Google Cloud from GitHub Action Sans Keys ...
TERRAFORM AUTOMATION with GitHub and GCP Workload Identity Federation ...
GitHub
github.com › marketplace › actions › authenticate-to-google-cloud
Authenticate to Google Cloud · Actions · GitHub Marketplace · GitHub
Authenticate to Google Cloud from GitHub Actions via Workload Identity Federation or service account keys
GitHub
github.com › google-github-actions › auth
GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud. · GitHub
In order to support Domain-Wide Delegation via Workload Identity Federation, you must grant the external identity ("principalSet") roles/iam.serviceAccountTokenCreator in addition to roles/iam.workloadIdentityUser. The default Workload Identity setup will only grant the latter role. If you want to use this GitHub Action with Domain-Wide Delegation, you must manually add the "Service Account Token Creator" role onto the external identity.
Starred by 1.3K users
Forked by 295 users
Languages TypeScript 98.8% | JavaScript 1.2%
Nordcloud
nordcloud.com › home › content hub › google cloud authentication with workload identity federation for github actions
Google Cloud Authentication with Workload Identity Federation for GitHub Actions - Nordcloud
January 30, 2025 - name: Example GCP WIF with GitHub Actions on: push: branches: - setup-wif-oidc jobs: job_id: runs-on: ubuntu-latest permissions: contents: 'read' id-token: 'write' steps: # actions/checkout MUST come before auth - uses: 'actions/checkout@v3' - id: "auth" name: "Authenticate to Google Cloud" uses: "google-github-actions/auth@v2" with: token_format: "access_token" workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} service_account: YOUR_SERVICE_ACCOUNT export_environment_variables: true audience: ${{ secrets.GCP_POOL_AUDIENCE }} create_credentials_file: true access_token_lifetime: 500 Further steps are automatically authenticated - name: "Set up Cloud SDK" uses: "google-github-actions/setup-gcloud@v1" with: version: ">= 390.0.0" - name: Check currently authenticated user run: gcloud auth list Interact with google cloud - name: Run gcloud run: gcloud storage buckets list
Firefly
firefly.ai › academy › setting-up-workload-identity-federation-between-github-actions-and-google-cloud-platform
Firefly | Setting Up Workload Identity Federation Between GitHub Actions and Google Cloud Platform
The Workload Identity Pool evaluates the token against the configured trust conditions to determine if the request originates from an approved repository and workflow. If the token meets all trust conditions, GCP IAM maps the external identity ...
Google
docs.cloud.google.com › iam › identity and access management (iam) › configure workload identity federation with deployment pipelines
Configure Workload Identity Federation with deployment pipelines | Identity and Access Management (IAM) | Google Cloud Documentation
Sets the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the credential configuration file. The google-github-actions/auth action lets you automatically generate a credential configuration file during workflow execution.
Harshad Ranganathan
rharshad.com › gcp-github-actions
Deploying to Google Cloud Run with GitHub Actions and Workload Identity Federation – Harshad Ranganathan
December 26, 2024 - In your GitHub Actions workflow file, use the Google GitHub Actions library to authenticate with GCP. jobs: deploy: runs-on: ubuntu-latest steps: - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v2' with: ...
Andrekoenig
andrekoenig.de › articles › workload-identity-federation-for-secure-access-to-google-cloud-platform-via-github-actions
Workload Identity Federation for Secure Access to Google Cloud Platform via GitHub Actions
April 17, 2024 - It's a way of saying, "Hey GCP, my application is already authenticated in its current environment. Can you trust that and let it in?" This way, your applications can easily communicate with Google Cloud resources without the need for service account keys. It's simpler, safer, and much more efficient! With that said, back to our GitHub Actions runner: This buddy is also a party guest from the 'GitHub Club' - a club we trust. Workload Identity Federation comes in two flavors:
GitHub
github.com › google-github-actions › auth › issues › 336
Interaction between 'delegates' and Workload Identity Federation · Issue #336 · google-github-actions/auth
October 12, 2023 - jobs: test_workflow: permissions: contents: read id-token: write runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - id: "auth" uses: "google-github-actions/auth@v1" with: workload_identity_provider: projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/MY_POOL/providers/MY_PROVIDER service_account: MY_SA@MY_PROJECT.iam.gserviceaccount.com delegates: MY_SA-CICD@MY_PROJECT.iam.gserviceaccount.com token_format: "access_token" access_token_lifetime: 3600s - id: "setup-gcloud" uses: "google-github-actions/setup-gcloud@v1" - run: | gcloud auth list gcloud artifacts repositories list
Author Tutuchan
GitHub
docs.github.com › actions › deployment › security-hardening-your-deployments › configuring-openid-connect-in-google-cloud-platform
Configuring OpenID Connect in Google Cloud Platform - GitHub Docs
# They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: List services in GCP on: pull_request: branches: - main permissions: id-token: write jobs: Get_OIDC_ID_token: runs-on: ubuntu-latest steps: - id: 'auth' name: 'Authenticate to GCP' uses: 'google-github-actions/auth@f1e2d3c4b5a6f7e8d9c0b1a2c3d4e5f6a7b8c9d0' with: create_credentials_file: 'true' workload_identity_provider: 'WORKLOAD-IDENTITY-PROVIDER' service_account: 'SERVICE-ACCOUNT' - id: 'gcloud' name: 'gcloud' run: |- gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" gcloud services list
breadNET
documentation.breadnet.co.uk › kb › githubactions › authenticate-github-actions-to-gcp-using-workload-identity-federation
Authenticate GitHub actions to GCP using Workload Identity Federation - breadNET Documentation
name: GCP Auth Example jobs: docker: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v3 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: token_format: 'access_token' # (1)! workload_identity_provider: ${{vars.WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{vars.SERVICE_ACCOUNT}}
Medium
mahendranp.medium.com › gcp-workload-identity-federation-with-github-actions-1d320f62417c
GCP: Enabling keyless authentication from GitHub Actions | by Mahendran | Medium
March 4, 2024 - Workload Identity Federation (WIF) is a pivotal method for utilizing an external authentication system to authorize access to Google Cloud Platform (GCP) resources such as AWS, Azure, GitHub or with any identity provider (IdP) that supports OpenID Connect (OIDC). In the context of GitHub Actions, it involves leveraging GitHub’s OpenID Connect (OIDC) system to issue a JWT token with predefined claims.
OneUptime
oneuptime.com › home › blog › use workload identity federation to authenticate from github actions to gcp
Use Workload Identity Federation to Authenticate from GitHub Actions to GCP
February 17, 2026 - This post walks through the complete setup: creating the identity pool, configuring the provider, linking it to a service account, and updating your GitHub Actions workflow. Instead of a static key file, the flow works like this: sequenceDiagram participant GH as GitHub Actions participant OIDC as GitHub OIDC Provider participant WIF as GCP Workload Identity Federation participant SA as GCP Service Account participant API as GCP API GH->>OIDC: Request OIDC token OIDC-->>GH: JWT token (short-lived) GH->>WIF: Exchange JWT for GCP token WIF->>WIF: Validate JWT against provider config WIF->>SA: Impersonate service account SA-->>GH: Short-lived GCP access token GH->>API: API call with access token API-->>GH: Response
Reddit
reddit.com › r/googlecloud › how to set up workload identity federation to securely authorize github actions workflows to manage google cloud resources
r/googlecloud on Reddit: How to set up Workload Identity Federation to securely authorize Github Actions workflows to manage Google Cloud resources
February 22, 2025 -
Traditional solution to authorizing CI/CD workflows to modify cloud environments is by using service accounts.
In 2021, GitHub introduced support for OpenID Connect (OIDC) to enable secure cloud deployments using short-lived tokens. It leverages security mechanisms of cloud providers to ensure GitHub Actions workflows get very narrow access to cloud resources. Plus, there's no need for storing any long-lived secrets like service account keys in GitHub.
GItHub's support for OIDC made it compatible with the Google Cloud's mechanism called Workload Identity Federation.
With Workload Identity Federation, Identity and Access Management (IAM) can be used to grant external identities (like GitHub repositories/users/branches) IAM roles, and thus direct access to Google cloud resources.
If you’d like to learn more about this topic, I’ve set up the connection between GitHub Actions and Google cloud platform using precisely workload identity federation.
Read more about it here and let me know what you think: https://www.toolongautomated.com/posts/2025/one-branch-to-rule-them-all-4.html#authorize-github-actions-workflows
Google Cloud
cloud.google.com › blog › products › identity-security › secure-your-use-of-third-party-tools-with-identity-federation
Secure your use of third party tools with identity federation | Google Cloud Blog
July 7, 2023 - To get started with Workload Identity Federation with CI/CD pipelines, see Configure workload identity federation with deployment pipelines. ... Authenticate from GitHub Actions to create and manage Google Cloud resources using Workload Identity Federation.
Google
docs.cloud.google.com › iam › identity and access management (iam) › workload identity federation
Workload Identity Federation | Identity and Access Management (IAM) | Google Cloud Documentation
You provide a credential from your IdP to the Security Token Service, which verifies the identity on the credential, and then returns a federated token in exchange. To federate workloads that don't have a public OIDC endpoint, you can upload OIDC JSON Web Key Sets (JWKS) directly to the pool. This is common if you have Terraform or GitHub Enterprise hosted in your own environment or you have regulatory requirements not to expose public URLs.
GitHub
github.com › nektos › act › issues › 2262
Make GCP Workload Identity work with act · Issue #2262 · nektos/act
March 27, 2024 - GCP Recommends not to use a Service account, and we are trying to implement workload identity. steps: - uses: actions/checkout@v4 - name: "Authenticate to Google Cloud" uses: "google-github-actions/auth@v2" with: workload_identity_provider: "projects/some/locations/global/workloadIdentityPools/some-gh-pool/providers/some-gh-provider" service_account: "sa_name@project.iam.gserviceaccount.com"
Author RS185734
Alexander Hose
alexanderhose.com › how-to-integrate-github-actions-with-google-cloud-platform
How to Integrate GitHub Actions with Google Cloud Platform
April 11, 2025 - Integrating GitHub Actions with GCP allows you to automate various tasks, such as retrieving secrets, which is essential for maintaining security and efficiency in your development workflow.