As per the error seems to be you have given invalid json file of service account which is not parsed by the Git actions workflow. As per this official github :
- (Optional) Create a Google Cloud Service Account. If you already have a Service Account, take note of the email address and skip this step :
# TODO: replace ${PROJECT_ID} with your value below. gcloud iam service-accounts create "my-service-account" \ --project "${PROJECT_ID}"
- Create a Service Account Key JSON for the Service Account.
# TODO: replace ${PROJECT_ID} with your value below. gcloud iam service-accounts keys create "key.json" \ --iam-account "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
- Upload the contents of this file as a GitHub Actions Secret. Use the name of the GitHub Actios secret as the credentials_json value in the GitHub Actions YAML:
uses: 'google-github-actions/auth@v2' with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' # Replace with the name of your GitHub Actions secret
Can you validate the above steps as per your yaml seems to be you need to give correct service account JSON file and also credentials json format need to be taken care.
---------- or else you can also achieve by using Workload Identity Federation through a Service Account by following this official github
Edit : Sinethemba Nontshintshi, achieved this by Changing the approach and used the Workload Identity Federation through a Service Account method to authenticate, by using this guide on how to set it up in GCP and in the YAML file it is passed as follows :
- name: Authenticate Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: 'your-service account'
workload_identity_provider: 'your-workload-identity-provider'
GitHub
github.com › google-github-actions › auth
GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud. · GitHub
It supports authentication via a Google Cloud Service Account Key JSON and authentication via Workload Identity Federation. Workload Identity Federation is recommended over Service Account Keys as it obviates the need to export a long-lived credential and establishes a trust delegation relationship between a particular GitHub Actions workflow invocation and permissions on Google Cloud.
Starred by 1.3K users
Forked by 295 users
Languages TypeScript 98.8% | JavaScript 1.2%
breadNET
documentation.breadnet.co.uk › kb › githubactions › authenticate-github-actions-to-google-artifact-registry
Authenticate GitHub actions to Google Artifact Registry - breadNET Documentation
name: GCP Auth Example to GAR jobs: docker: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v3 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: token_format: 'access_token' workload_identity_provider: ${{vars.WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{vars.SERVICE_ACCOUNT}} - uses: 'docker/login-action@v2' name: Log docker in to Google Container Store with: registry: 'europe-west2-docker.pkg.dev' username: 'oauth2accesstoken' password: '${{ steps.auth.outputs.access_token }}'
Videos
17:22
GCP | OIDC | GitHub | Secure Credential Less OIDC Authentication ...
11:33
How to use Github Actions with Google's Workload Identity Federation ...
12:38
Setting up Github OIDC Authentication with GCP | Google Cloud | ...
25:40
How to Setup Google Cloud Workload Identity Federation for GitHub ...
Access Google Cloud from GitHub Action Sans Keys ...
GitHub Actions with Google Cloud
GitHub
github.com › google-github-actions › auth › blob › main › docs › EXAMPLES.md
auth/docs/EXAMPLES.md at main · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
GitHub
github.com › google-github-actions › auth › blob › main › README.md
auth/README.md at main · google-github-actions/auth
Trusted Partner Cloud and Google Distributed Hosted Cloud should set this to their universe address. You can also override individual API endpoints by setting the environment variable GHA_ENDPOINT_OVERRIDE_<endpoint> where endpoint is the API endpoint to override. This only applies to the auth action and does not persist to other steps. For example: env: GHA_ENDPOINT_OVERRIDE_oauth2: 'https://oauth2.myapi.endpoint/v1...
Author google-github-actions
Google Cloud
cloud.google.com › blog › products › identity-security › enabling-keyless-authentication-from-github-actions
Enabling keyless authentication from GitHub Actions | Google Cloud Blog
December 7, 2021 - But now, with GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key.
GitHub
github.com › marketplace › actions › authenticate-to-google-cloud
Authenticate to Google Cloud · Actions · GitHub Marketplace · GitHub
Trusted Partner Cloud and Google Distributed Hosted Cloud should set this to their universe address. You can also override individual API endpoints by setting the environment variable GHA_ENDPOINT_OVERRIDE_<endpoint> where endpoint is the API endpoint to override. This only applies to the auth action and does not persist to other steps. For example: env: GHA_ENDPOINT_OVERRIDE_oauth2: 'https://oauth2.myapi.endpoint/v1...
GitHub
github.com › actions-hub › gcloud
GitHub - actions-hub/gcloud: GitHub Action for interacting with Google Cloud Platform (GCP) · GitHub
- id: google_cloud_auth name: Authenticate to Google Cloud uses: google-github-actions/auth@v1 with: workload_identity_provider: 'projects/${{ secrets.gcp_project_number }}/locations/global/workloadIdentityPools/${{ secrets.workload_identity_pool }/providers/${{ secrets.workload_identity_provider }}' service_account: '${{ secrets.workload_identity_service_account }}@${{ secrets.gcp_project_name }}.iam.gserviceaccount.com' token_format: 'access_token' - uses: actions-hub/gcloud@master env: PROJECT_ID: ${{ secrets.gcp_project_name }} CLOUDSDK_AUTH_ACCESS_TOKEN: '${{ steps.google_cloud_auth.outputs.access_token }}' with: args: info ·
Starred by 241 users
Forked by 27 users
Languages Shell 94.2% | Dockerfile 5.8%
Medium
medium.com › google-cloud › ci-cd-on-github-actions-enabling-keyless-authentication-and-workload-identity-f55efb95343c
CI CD Github Actions enabling Keyless Authentication Workload Identity | Google Cloud - Community
April 29, 2024 - We need to pass the permissions ... google-github-actions/auth action, allows to authenticate the current repository to Google Cloud via the Workload Identity Provider and the associated Service Account...
GitHub
github.com › rhinofi › google-github-actions-auth
GitHub - rhinofi/google-github-actions-auth: A GitHub Action for authenticating to Google Cloud.
- id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: token_format: 'access_token' # <-- workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'my-service-account@my-project.iam.gserviceaccount.com' access_token_lifetime: '300s' # optional, default: '3600s' (1 hour) # Example of using the output.
Author rhinofi
GitHub
github.com › google-github-actions › setup-gcloud
GitHub - google-github-actions/setup-gcloud: A GitHub Action for installing and configuring the gcloud CLI. · GitHub
The setup-gcloud action installs the Cloud SDK (gcloud). To configure its authentication to Google Cloud, you must first use the google-github-actions/auth action. The auth action sets Application Default Credentials, then the setup-gcloud action ...
Starred by 1.9K users
Forked by 527 users
Languages TypeScript 95.3% | JavaScript 4.7%
GitHub
github.com › google-github-actions › auth › issues › 336
Interaction between 'delegates' and Workload Identity Federation · Issue #336 · google-github-actions/auth
October 12, 2023 - jobs: test_workflow: permissions: contents: read id-token: write runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - id: "auth" uses: "google-github-actions/auth@v1" with: workload_identity_provider: projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/MY_POOL/providers/MY_PROVIDER service_account: MY_SA@MY_PROJECT.iam.gserviceaccount.com delegates: MY_SA-CICD@MY_PROJECT.iam.gserviceaccount.com token_format: "access_token" access_token_lifetime: 3600s - id: "setup-gcloud" uses: "google-github-actions/setup-gcloud@v1" - run: | gcloud auth list gcloud artifacts repositories list
Author Tutuchan
Top answer 1 of 2
50
I needed to add:
jobs:
my_job:
# Need to add these 3 lines to add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
This is documented here: https://github.com/google-github-actions/auth#usage
2 of 2
3
For me, what I missing are
- Ensure the value for workload_identity_provider is the full Provider name, not the Pool name:
- projects/NUMBER/locations/global/workloadIdentityPools/POOL
+ projects/NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER
- Need to have permission
permissions:
contents: 'read'
id-token: 'write'
Check out this https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md
GitHub
github.com › invisiblefoods › google-github-actions-auth
GitHub - invisiblefoods/google-github-actions-auth: GitHub Action for authenticating to Google Cloud with GitHub Actions OIDC tokens and Workload Identity Federation.
- id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: token_format: 'access_token' # <-- workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'my-service-account@my-project.iam.gserviceaccount.com' access_token_lifetime: '300s' # optional, default: '3600s' (1 hour) # Example of using the output.
Author invisiblefoods
Medium
medium.com › living-devops › keyless-authentication-to-google-cloud-from-github-actions-with-workload-identity-federation-in-a-fc4fc7527574
Keyless Auth To Google Cloud From GitHub Actions With Workload Identity Federation | by Akhilesh Mishra | Living Devops | Medium
April 11, 2025 - To use GitHub Actions to interact with Google Cloud resources, like uploading a container to Artifact Registry or deploying a service with Cloud Run, you need to authenticate your actions to ensure secure access to those resources.
GitHub
github.com › google-github-actions › auth › issues › 340
Permission \'iam.serviceAccounts.getAccessToken\' denied on resource (or it may not exist). · Issue #340 · google-github-actions/auth
October 31, 2023 - name: Deploy PHP to Compute Engine on: push: branches: - test # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: deploy: # Add 'id-token' with the intended permissions for workload identity federation permissions: contents: 'read' id-token: 'write' runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v2 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: workload_identity_provider: '${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' service_account: '${{ secrets.GCP_SERVICE_ACCOUNT }}' - nam
Author durgesh-sahani
GitHub
github.com › docker › login-action
GitHub - docker/login-action: GitHub Action to login against a Docker registry · GitHub
name: ci on: push: branches: main jobs: login: runs-on: ubuntu-latest steps: - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v1 with: token_format: access_token workload_identity_provider: <workload_identity_provider> service_account: <service_account> - name: Login to GCR uses: docker/login-action@v4 with: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }}
Starred by 1.4K users
Forked by 288 users
Languages TypeScript 81.1% | Dockerfile 9.6% | JavaScript 4.7% | HCL 4.6%
GitHub
github.com › sethvargo › oidc-auth-google-cloud › releases
Releases · google-github-actions/auth
August 28, 2025 - A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions
GitHub
github.com › google-github-actions › auth › blob › main › action.yml
auth/action.yml at main · google-github-actions/auth
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Author google-github-actions