As per the error seems to be you have given invalid json file of service account which is not parsed by the Git actions workflow. As per this official github :
- (Optional) Create a Google Cloud Service Account. If you already have a Service Account, take note of the email address and skip this step :
# TODO: replace ${PROJECT_ID} with your value below. gcloud iam service-accounts create "my-service-account" \ --project "${PROJECT_ID}"
- Create a Service Account Key JSON for the Service Account.
# TODO: replace ${PROJECT_ID} with your value below. gcloud iam service-accounts keys create "key.json" \ --iam-account "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
- Upload the contents of this file as a GitHub Actions Secret. Use the name of the GitHub Actios secret as the credentials_json value in the GitHub Actions YAML:
uses: 'google-github-actions/auth@v2' with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' # Replace with the name of your GitHub Actions secret
Can you validate the above steps as per your yaml seems to be you need to give correct service account JSON file and also credentials json format need to be taken care.
---------- or else you can also achieve by using Workload Identity Federation through a Service Account by following this official github
Edit : Sinethemba Nontshintshi, achieved this by Changing the approach and used the Workload Identity Federation through a Service Account method to authenticate, by using this guide on how to set it up in GCP and in the YAML file it is passed as follows :
- name: Authenticate Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: 'your-service account'
workload_identity_provider: 'your-workload-identity-provider'
GitHub
github.com › google-github-actions › auth
GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud. · GitHub
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Starred by 1.3K users
Forked by 295 users
Languages TypeScript 98.8% | JavaScript 1.2%
breadNET
documentation.breadnet.co.uk › kb › githubactions › authenticate-github-actions-to-google-artifact-registry
Authenticate GitHub actions to Google Artifact Registry - breadNET Documentation
When using GitHub Actions to build docker images and push them to GAR, you need to authenticate. You need to have configured Authenticating to GCP using Workload identity Federation · name: GCP Auth Example to GAR jobs: docker: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v3 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: token_format: 'access_token' workload_identity_provider: ${{vars.WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{vars.SERVICE_ACCOUNT}} - uses: 'docker/login-action@v2' name: Log docker in to Google Container Store with: registry: 'europe-west2-docker.pkg.dev' username: 'oauth2accesstoken' password: '${{ steps.auth.outputs.access_token }}'
Videos
25:40
How to Setup Google Cloud Workload Identity Federation for GitHub ...
11:33
How to use Github Actions with Google's Workload Identity Federation ...
Access Google Cloud from GitHub Action Sans Keys ...
12:38
Setting up Github OIDC Authentication with GCP | Google Cloud | ...
GitHub Actions with Google Cloud
Google Cloud
cloud.google.com › blog › products › identity-security › enabling-keyless-authentication-from-github-actions
Enabling keyless authentication from GitHub Actions | Google Cloud Blog
December 7, 2021 - But now, with GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key.
GitHub
github.com › google-github-actions › auth › blob › main › docs › EXAMPLES.md
auth/docs/EXAMPLES.md at main · google-github-actions/auth
This example demonstrates authenticating via a Google Cloud Service Account Key JSON. After you export a Google Cloud Service Account Key, insert the value into a GitHub Secret named 'GOOGLE_CREDENTIALS'. jobs: job_id: steps: - uses: 'actions/checkout@v4' - uses: 'google-github-actions/auth@v3' with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
Author google-github-actions
GitHub
github.com › marketplace › actions › authenticate-to-google-cloud
Authenticate to Google Cloud · Actions · GitHub Marketplace · GitHub
It supports authentication via a Google Cloud Service Account Key JSON and authentication via Workload Identity Federation. Workload Identity Federation is recommended over Service Account Keys as it obviates the need to export a long-lived ...
GitHub
github.com › google-github-actions › auth › blob › main › README.md
auth/README.md at main · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
GitHub
github.com › google-github-actions › setup-gcloud
GitHub - google-github-actions/setup-gcloud: A GitHub Action for installing and configuring the gcloud CLI. · GitHub
If you are using self-hosted GitHub Actions runners, you must use a runner version that supports this version or newer. jobs: job_id: # Add "id-token" with the intended permissions. permissions: contents: 'read' id-token: 'write' steps: - id: 'auth' uses: 'google-github-actions/auth@v2' with: workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'my-service-account@my-project.iam.gserviceaccount.com' - name: 'Set up Cloud SDK' uses: 'google-github-actions/setup-gcloud@v3' with: version: '>= 363.0.0' - name: 'Use gcloud CLI' run: 'gcloud info'
Starred by 1.9K users
Forked by 527 users
Languages TypeScript 95.3% | JavaScript 4.7%
GitHub
github.com › google-github-actions › auth › blob › main › action.yml
auth/action.yml at main · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
GitHub
github.com › google-github-actions › auth › blob › main › docs › TROUBLESHOOTING.md
auth/docs/TROUBLESHOOTING.md at main · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
GitHub
github.com › google-github-actions › auth › blob › main › docs › SECURITY_CONSIDERATIONS.md
auth/docs/SECURITY_CONSIDERATIONS.md at main · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
GitHub
github.com › google-github-actions › auth › actions
Workflow runs · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - Workflow runs · google-github-actions/auth
Author google-github-actions
Medium
medium.com › google-cloud › ci-cd-on-github-actions-enabling-keyless-authentication-and-workload-identity-f55efb95343c
CI CD Github Actions enabling Keyless Authentication Workload Identity | Google Cloud - Community
April 29, 2024 - We need to pass the permissions ... google-github-actions/auth action, allows to authenticate the current repository to Google Cloud via the Workload Identity Provider and the associated Service Account...
Medium
medium.com › living-devops › keyless-authentication-to-google-cloud-from-github-actions-with-workload-identity-federation-in-a-fc4fc7527574
Keyless Auth To Google Cloud From GitHub Actions With Workload Identity Federation | by Akhilesh Mishra | Living Devops | Medium
April 11, 2025 - With GitHub’s introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation.
GitHub
github.com › sethvargo › oidc-auth-google-cloud › releases
Releases · google-github-actions/auth
August 28, 2025 - A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
Top answer 1 of 2
50
I needed to add:
jobs:
my_job:
# Need to add these 3 lines to add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
This is documented here: https://github.com/google-github-actions/auth#usage
2 of 2
3
For me, what I missing are
- Ensure the value for workload_identity_provider is the full Provider name, not the Pool name:
- projects/NUMBER/locations/global/workloadIdentityPools/POOL
+ projects/NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER
- Need to have permission
permissions:
contents: 'read'
id-token: 'write'
Check out this https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md
Firefly
firefly.ai › academy › setting-up-workload-identity-federation-between-github-actions-and-google-cloud-platform
Firefly | Setting Up Workload Identity Federation Between GitHub Actions and Google Cloud Platform
Now, when a Google GitHub Actions workflow runs, it first requests an identity token from GitHub’s OpenID Connect (OIDC) provider. This token includes metadata such as the repository name, workflow details, and the trigger event. GitHub then signs the token to ensure its integrity before providing it to the workflow. Once the workflow receives the signed token, it sends it to GCP IAM for authentication.
GitHub
github.com › google-github-actions › get-gke-credentials
GitHub - google-github-actions/get-gke-credentials: A GitHub Action that configure authentication to a GKE cluster. · GitHub
This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth. See usage for more details. jobs: job_id: permissions: contents: 'read' id-token: 'write' steps: - id: 'auth' uses: 'google-github-actions/auth@v3' with: project_id: 'my-project' workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' - id: 'get-credentials' uses: 'google-github-actions/get-gke-credentials@v3' with: cluster_name: 'my-cluster' location: 'us-central1-a'
Starred by 122 users
Forked by 44 users
Languages TypeScript 98.3% | JavaScript 1.7%
CICube
cicube.io › home › workflow hub › how to authenticate to google cloud from github actions
How to Authenticate to Google Cloud from GitHub Actions - Workflow Hub - CI Cube
May 23, 2024 - name: 'Usage of auth GitHub Action' on: push: branches: - main jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: 'google-github-actions/auth@v2' with: project_id: 'my-project' workload_identity_provider: > 'projects/12/locations/global/workloadIdentityPools/pool/providers/provider'
Medium
mahendranp.medium.com › gcp-workload-identity-federation-with-github-actions-1d320f62417c
GCP: Enabling keyless authentication from GitHub Actions | by Mahendran | Medium
March 4, 2024 - build: runs-on: ubuntu-latest environment: dev # Fetches the env variables for dev permissions: contents: read id-token: write steps: - name: Checkout actions-oidc-debugger uses: actions/checkout@v3 - id: auth name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: create_credentials_file: true workload_identity_provider: '${{ vars.WORKLOAD_IDENTITY_PROVIDER }}' service_account: '${{ secrets.SERVICE_ACCOUNT }}' - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v2 - name: set credentials file run: >- gcloud auth login --cred-file=${{steps.auth.outputs.credentials_file_path}} - name: Use gcloud CLI run: gcloud info - id: upload-file uses: google-github-actions/upload-cloud-storage@v2 with: path: CHANGELOG.md destination: '${{ vars.GCP_BUCKET }}' process_gcloudignore: false