Issue with Google Drive API Authentication using GitHub Actions
I created my workload identity pool according to the Google GitHub Actions Auth documentation without any service account. Then I tried to connect to Google Drive, which requires an OAuth 2.0 access token. I used the following configuration:
- name: Authenticate with Google Cloud
uses: 'google-github-actions/auth@v2'
with:
project_id: 'my-project'
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
- name: Upload files to Google Drive
uses: 'Burak-Atak/drive-upload@master'
with:
google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
files_to_create: "app.spec"
drive_folder_id: "242fgdfg345345"
files_to_update: "requirements.txt"
file_ids_to_update: "asdas3534fdgg"
However, I got the following error with below code:
def authenticate_google(self):
credentials, project_id = load_credentials_from_file(
os.environ["GOOGLE_APPLICATION_CREDENTIALS"],
scopes=[
'https://www.googleapis.com/auth/drive.file',
'https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/drive.metadata'
]
)
return build("drive", "v3", credentials=credentials)
googleapiclient.errors.HttpError: <HttpError 401 when requesting https://www.googleapis.com/upload/drive/v3/files?fields=id&alt=json&uploadType=multipart returned "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.". Details: "[{'message': 'Invalid Credentials', 'domain': 'global', 'reason': 'authError', 'location': 'Authorization', 'locationType': 'header'}]">
I realized I should use OAuth 2.0 for the Google Drive API. Then I changed my configuration to this:
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
project_id: '<PROJECT_ID>'
service_account: '<PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com'
token_format: 'access_token'
access_token_lifetime: '60s'
access_token_scopes: 'https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.metadata'
- name: Upload files to Google Drive
uses: 'Burak-Atak/drive-upload@master'
with:
google_credentials_file_path: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
files_to_create: "app.spec"
drive_folder_id: "242fgdfg345345"
files_to_update: "requirements.txt"
file_ids_to_update: "asdas3534fdgg"
After this change, I started to get the following error even though I have the Service Account Token Creator and Owner roles in my service account:
google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for <PROJECT_ID>@<PROJECT_ID>.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
Solution
I figured out that I should add a service account to my workload pool. Check the "Connected service accounts" part in the Google Cloud Console. If there is no connected service account, you should add one.
GitHub
github.com › google-github-actions › auth
GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud. · GitHub
However, not all Google Cloud resources support principalSet identities, and the resulting token has a maximum lifetime of 10 minutes. Please see the documentation for your Google Cloud service for more information. ... To generate OAuth 2.0 access tokens or ID tokens, you must provide a service account email, and the Workload Identity Pool must have roles/iam.workloadIdentityUser permissions on the target Google Cloud Service Account.
Starred by 1.3K users
Forked by 295 users
Languages TypeScript 98.8% | JavaScript 1.2%
HashiCorp
developer.hashicorp.com › hashicorp cloud platform › documentation › hashicorp cloud platform › service principals › workload identity federation › github
Federate workload identity with GitHub | HashiCorp Cloud Platform | HashiCorp Developer
September 5, 2025 - This configuration requires the following information that is specific to your GitHub account: <CONDITION>: The conditional access statement that restricts access to the specified repository and branch. The following example creates a workload identity provider named github-example.
Using GitHub Actions to authenticate to Google Workload Identity Federation for credentials to use in a Python script - Stack Overflow
name: name_of_your_job on: workflow_dispatch: jobs: build: permissions: contents: 'read' id-token: 'write' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v2' with: workload_identity_provider: ... More on stackoverflow.com
Use Github workflow to deploy to cloud run with workload identity provider without a service account
I have set up a workload identity provider to use in my Github workflow gcloudExec "iam workload-identity-pools providers update-oidc \"github-actions2\" \ --project=\"${PROJECT_ID}\" \ --location=\"global\" \ --workload-identity-pool=\"github\" \ --display-name=\"GitHub repo provider\" \ ... More on discuss.google.dev
0
0
June 16, 2025google cloud platform - GCP workload identity federation - Github provider - 'Unable to acquire impersonated credentials' - Stack Overflow
I've created the service account, workload identity pool and github provider pool using the exact instructions above, but it doesn't appear that the auth step is getting the correct token (or any token at all). More on stackoverflow.com
How to set up Workload Identity Federation to securely authorize Github Actions workflows to manage Google Cloud resources
How does it work from inside the worker? Let's say I want to initialize gcloud, where do I get credentials? More on reddit.com
11
8
February 22, 2025Videos
12:11
Stop Struggling—The Easiest Way to Get Secure GCP Access from ...
25:40
How to Setup Google Cloud Workload Identity Federation for GitHub ...
11:33
How to use Github Actions with Google's Workload Identity Federation ...
GitHub OIDC and Google Identity Federation - YouTube
08:25
GitHub Actions with Azure AD Workload Identity Federation - YouTube
GitHub Workflow and Workload Identity Federation
GitHub
docs.github.com › en › actions › security-for-github-actions › security-hardening-your-deployments › configuring-openid-connect-in-google-cloud-platform
Configuring OpenID Connect in Google Cloud Platform - GitHub Docs
# They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: List services in GCP on: pull_request: branches: - main permissions: id-token: write jobs: Get_OIDC_ID_token: runs-on: ubuntu-latest steps: - id: 'auth' name: 'Authenticate to GCP' uses: 'google-github-actions/auth@f1e2d3c4b5a6f7e8d9c0b1a2c3d4e5f6a7b8c9d0' with: create_credentials_file: 'true' workload_identity_provider: 'WORKLOAD-IDENTITY-PROVIDER' service_account: 'SERVICE-ACCOUNT' - id: 'gcloud' name: 'gcloud' run: |- gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" gcloud services list
Medium
medium.com › google-cloud › how-does-the-gcp-workload-identity-federation-work-with-github-provider-a9397efd7158
How does the GCP Workload Identity Federation work with Github Provider? | by Pradeep Kumar Singh | Google Cloud - Community | Medium
July 22, 2022 - The ‘aud’ field in the token is equal to “https://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>” or not and many more. All the steps are described here in detail. Once the request is verified successfully, STS returns a federated token. This token is a kind of GCP identity with all the necessary information necessary for impersonating a service account. In this step Github action ‘google-github-actions/auth’ exchanges federated token received in previous step to get IAM access token.
Google Cloud
cloud.google.com › blog › products › identity-security › enabling-keyless-authentication-from-github-actions
Enabling keyless authentication from GitHub Actions | Google Cloud Blog
December 7, 2021 - But now, with GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key. Fine-grained scoping. Workload Identity Pools and Providers can define fine-grained attribute mappings between the OIDC token and the available permissions in Google Cloud.
OneUptime
oneuptime.com › home › blog › set up workload identity federation for github actions to access gcp resources
Set Up Workload Identity Federation for GitHub Actions to Access GCP Resources
February 17, 2026 - # .github/workflows/deploy.yml name: Deploy to GCP on: push: branches: [main] # Required for OIDC token generation permissions: contents: read id-token: write jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # Authenticate to GCP using Workload Identity Federation - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: "projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider" service_account: "[email protected]" # Now you can use gcloud, gsutil, etc.
Firefly
firefly.ai › academy › setting-up-workload-identity-federation-between-github-actions-and-google-cloud-platform
Firefly | Setting Up Workload Identity Federation Between GitHub Actions and Google Cloud Platform
The pool serves as a central point where external identity tokens from services like GitHub are validated. Navigate to the Workload Identity Pools section in the Google Cloud Console and click on Create Pool.
GitHub
github.com › ankitcharolia › workload-identity-federation
GitHub - ankitcharolia/workload-identity-federation: Configure OpenID Connect with GCP Workload Identity Federation · GitHub
inputs = { workload_identity_pool_id = "gitlab-ci" workload_identity_pool_display_name = "gitlab-ci" workload_identity_pool_provider_id = "terraform" service_account_name = "gitlab-ci" service_account_display_name = "gitlab-ci" service_account_description = "service account for gitlab-ci" }
Author ankitcharolia
Microsoft Learn
learn.microsoft.com › en-us › entra › workload-id › workload-identity-federation
Workload Identity Federation - Microsoft Entra Workload ID | Microsoft Learn
You use workload identity federation to configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google.
Google
discuss.google.dev › google cloud › serverless applications
Use Github workflow to deploy to cloud run with workload identity provider without a service account - Serverless Applications - Google Developer forums
June 16, 2025 - I have set up a workload identity provider to use in my Github workflow gcloudExec "iam workload-identity-pools providers update-oidc \"github-actions2\" \ --project=\"${PROJECT_ID}\" \ --location=\"global\" \ --workload-identity-pool=\"github\" \ --display-name=\"GitHub repo provider\" \ --attribute-mapping=\"google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository\" \ --attribute-condition=\"assertion.repository=='gregclinker/sixtysix'...
Google Cloud
cloud.google.com › iam › identity and access management (iam) › configure workload identity federation with deployment pipelines
Configure Workload Identity Federation with deployment pipelines | Identity and Access Management (IAM) | Google Cloud Documentation
For further details on using the google-github-actions/auth action, see Setting up Workload Identity Federation. Edit your .gitlab-ci.yml file and add the following to the job configuration: job: variables: WORKLOAD_IDENTITY_PROJECT_NUMBER: PROJECT_NUMBER WORKLOAD_IDENTITY_POOL: POOL_ID WORKLOAD_IDENTITY_PROVIDER: PROVIDER_ID SERVICE_ACCOUNT: SERVICE_ACCOUNT_EMAIL GOOGLE_APPLICATION_CREDENTIALS: $CI_BUILDS_DIR/.workload_identity.wlconfig id_tokens: WORKLOAD_IDENTITY_TOKEN: aud: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_
GitHub
github.com › Cyclenerd › terraform-google-wif-github
GitHub - Cyclenerd/terraform-google-wif-github: 🔐 Terraform module to create a Google Cloud Workload Identity Pool and Provider for GitHub Actions
# Create Workload Identity Pool Provider for GitHub and restrict access to GitHub organization module "github-wif" { source = "Cyclenerd/wif-github/google" version = "~> 1.0.0" project_id = var.project_id # Restrict access to username or the name of a GitHub organization attribute_condition = "assertion.repository_owner == '${var.github_organization}'" } # Get the Workload Identity Pool Provider resource name for GitHub Actions configuration output "github-workload-identity-provider" { description = "The Workload Identity Provider resource name" value = module.github-wif.provider_name }
Author Cyclenerd
ComputingForGeeks
computingforgeeks.com › home › set up gcp workload identity federation for github actions (2026)
GCP Workload Identity Federation for GitHub Actions (2026)
4 days ago - The attribute-condition is a CEL expression that filters which tokens are even considered, and this is the single most important security control: it is how you prevent any GitHub repository on the internet from assuming your identity. gcloud iam workload-identity-pools providers create-oidc github-provider \ --location=global \ --workload-identity-pool=github-pool \ --display-name="GitHub OIDC provider" \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ --attribute-condition="assertion.repository_owner == 'your-org-name'"
GitHub
github.com › marketplace › actions › azure-ad-workload-identity-federation
Azure AD Workload Identity Federation - GitHub Marketplace
This GitHub action acquires access tokens (JWTs) for federated Azure AD workload identities that have configured GitHub as Open ID Connect (OIDC) credential provider.
Medium
medium.com › google-cloud › workload-identity-federation-for-github-provider-a3db226fc52b
Workload Identity Federation for Github Provider | by Nguyen Hai-Truong | Google Cloud - Community | Medium
November 22, 2024 - gcloud iam workload-identity-pools create github-wif-pool \ --location="global" --project=PROJECT-ID · A Workload Identity Pool Provider describes the relationship between Google Cloud and an external Identity Provider (IdP).
Top answer 1 of 3
9
In addition to the OP's own answer of the service account not being connected (bound) at all, this can result from the service account binding being constrained using attribute mappings.
In the default setup for GitHub Actions discussed here on the google blog for WIF, the provider is set up with a set of attribute mappings:
--attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository"
Those attributes can be used to restrict access when you connect (bind) the service account... in the following, the member uses the repository attribute to constrain it so that only actions executing in my-org/my-repo on GitHub will be permitted.
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/attribute.repository/my-org/my-repo"
A cross-repository provider
Of course, you want to use strong restrictions here. Restricting to a repository, or even a particular branch (so only main branch actions have privilege to deploy to production, for example). No restrictions allows anything, which is absolutely not what you want!!!
In my case, I set up my WIF provider, then tried to reuse it from another repository, resulting in the error experienced by the OP.
I chose to add the repository_owner attribute mapping from the list of all possible attributes that are in GitHub's OIDC token (the attribute mappings are editable in the google cloud console), then bind my service account to that rather than the repository-specific principal:
--attribute-mapping="google.subject=assertion.sub,attribute.repository_owner=assertion.repository_owner"
and
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/my-pool/attribute.repository_owner/my-org"
Bingo, it works a charm now.
Take care to think about your attack surface though, loosening this constraint too widely creates real vulnerability.
2 of 3
5
So I later found out what this was. Despite running:
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
--role=roles/iam.workloadIdentityUser \
--member="MEMBER_EXPRESSION"
As per the docs, it had not granted permission - I went into the console and checked the workload identity pool under "connected service accounts" menu (to the left) and the service account wasn't in there, so I added it manually.
Reddit
reddit.com › r/googlecloud › how to set up workload identity federation to securely authorize github actions workflows to manage google cloud resources
r/googlecloud on Reddit: How to set up Workload Identity Federation to securely authorize Github Actions workflows to manage Google Cloud resources
February 22, 2025 -
Traditional solution to authorizing CI/CD workflows to modify cloud environments is by using service accounts.
In 2021, GitHub introduced support for OpenID Connect (OIDC) to enable secure cloud deployments using short-lived tokens. It leverages security mechanisms of cloud providers to ensure GitHub Actions workflows get very narrow access to cloud resources. Plus, there's no need for storing any long-lived secrets like service account keys in GitHub.
GItHub's support for OIDC made it compatible with the Google Cloud's mechanism called Workload Identity Federation.
With Workload Identity Federation, Identity and Access Management (IAM) can be used to grant external identities (like GitHub repositories/users/branches) IAM roles, and thus direct access to Google cloud resources.
If you’d like to learn more about this topic, I’ve set up the connection between GitHub Actions and Google cloud platform using precisely workload identity federation.
Read more about it here and let me know what you think: https://www.toolongautomated.com/posts/2025/one-branch-to-rule-them-all-4.html#authorize-github-actions-workflows
OneUptime
oneuptime.com › home › blog › use workload identity federation to authenticate from github actions to gcp
Use Workload Identity Federation to Authenticate from GitHub Actions to GCP
February 17, 2026 - # .github/workflows/deploy.yml name: Deploy to Cloud Run on: push: branches: [main] # Required for the OIDC token request permissions: contents: read id-token: write jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # Authenticate to GCP using Workload Identity Federation - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/github-pool/providers/github-provider' service_account: '[email protected]' # Set up gcloud CLI - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v2 # Build and push the Docker image - name: Build and push container image run: | gcloud auth configure-docker us-central1-docker.pkg.dev --quiet docker build -t us-central1-docker.pkg.dev/my-project/my-repo/my-app:${{ github.sha }} .