As per the error seems to be you have given invalid json file of service account which is not parsed by the Git actions workflow. As per this official github :
- (Optional) Create a Google Cloud Service Account. If you already have a Service Account, take note of the email address and skip this step :
# TODO: replace ${PROJECT_ID} with your value below. gcloud iam service-accounts create "my-service-account" \ --project "${PROJECT_ID}"
- Create a Service Account Key JSON for the Service Account.
# TODO: replace ${PROJECT_ID} with your value below. gcloud iam service-accounts keys create "key.json" \ --iam-account "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
- Upload the contents of this file as a GitHub Actions Secret. Use the name of the GitHub Actios secret as the credentials_json value in the GitHub Actions YAML:
uses: 'google-github-actions/auth@v2' with: credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' # Replace with the name of your GitHub Actions secret
Can you validate the above steps as per your yaml seems to be you need to give correct service account JSON file and also credentials json format need to be taken care.
---------- or else you can also achieve by using Workload Identity Federation through a Service Account by following this official github
Edit : Sinethemba Nontshintshi, achieved this by Changing the approach and used the Workload Identity Federation through a Service Account method to authenticate, by using this guide on how to set it up in GCP and in the YAML file it is passed as follows :
- name: Authenticate Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: 'your-service account'
workload_identity_provider: 'your-workload-identity-provider'
GitHub
github.com › google-github-actions › auth
GitHub - google-github-actions/auth: A GitHub Action for authenticating to Google Cloud. · GitHub
A GitHub Action for authenticating to Google Cloud. - google-github-actions/auth
Starred by 1.3K users
Forked by 295 users
Languages TypeScript 98.8% | JavaScript 1.2%
GitHub
github.com › marketplace › actions › authenticate-to-google-cloud
Authenticate to Google Cloud · Actions · GitHub Marketplace · GitHub
It supports authentication via a Google Cloud Service Account Key JSON and authentication via Workload Identity Federation. Workload Identity Federation is recommended over Service Account Keys as it obviates the need to export a long-lived ...
Videos
25:40
How to Setup Google Cloud Workload Identity Federation for GitHub ...
11:33
How to use Github Actions with Google's Workload Identity Federation ...
Access Google Cloud from GitHub Action Sans Keys ...
12:38
Setting up Github OIDC Authentication with GCP | Google Cloud | ...
GitHub Actions with Google Cloud
breadNET
documentation.breadnet.co.uk › kb › githubactions › authenticate-github-actions-to-google-artifact-registry
Authenticate GitHub actions to Google Artifact Registry - breadNET Documentation
When using GitHub Actions to build docker images and push them to GAR, you need to authenticate. You need to have configured Authenticating to GCP using Workload identity Federation · name: GCP Auth Example to GAR jobs: docker: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v3 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v1' with: token_format: 'access_token' workload_identity_provider: ${{vars.WORKLOAD_IDENTITY_PROVIDER}} service_account: ${{vars.SERVICE_ACCOUNT}} - uses: 'docker/login-action@v2' name: Log docker in to Google Container Store with: registry: 'europe-west2-docker.pkg.dev' username: 'oauth2accesstoken' password: '${{ steps.auth.outputs.access_token }}'
Google Cloud
cloud.google.com › blog › products › identity-security › enabling-keyless-authentication-from-github-actions
Enabling keyless authentication from GitHub Actions | Google Cloud Blog
December 7, 2021 - But now, with GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key.
Google
developers.google.com › google identity › authorization › using oauth 2.0 to access google apis
Using OAuth 2.0 to Access Google APIs | Authorization | Google for Developers
Different application types, such as web server, installed, client-side, limited-input device, and service accounts, have specific authorization flows. Refresh tokens can expire for various reasons, including user actions or policy settings.
GitHub
github.com › google-github-actions › setup-gcloud
GitHub - google-github-actions/setup-gcloud: A GitHub Action for installing and configuring the gcloud CLI. · GitHub
If you are using self-hosted GitHub Actions runners, you must use a runner version that supports this version or newer. jobs: job_id: # Add "id-token" with the intended permissions. permissions: contents: 'read' id-token: 'write' steps: - id: 'auth' uses: 'google-github-actions/auth@v2' with: workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' service_account: 'my-service-account@my-project.iam.gserviceaccount.com' - name: 'Set up Cloud SDK' uses: 'google-github-actions/setup-gcloud@v3' with: version: '>= 363.0.0' - name: 'Use gcloud CLI' run: 'gcloud info'
Starred by 1.9K users
Forked by 527 users
Languages TypeScript 95.3% | JavaScript 4.7%
bluebirz
bluebirz.net › posts › try-github-actions
Let's try: Github actions for Github integration | bluebirz
September 13, 2025 - Workload Identity Federation6 allows us to securely authenticate to Google Cloud Platform without service account keys or other risky methods if we lose them. Instead, we use short-lived tokens as an identity, including impersonating service accounts. When the setup is ready, our Github actions can connect to the GCP as this diagram.
Firefly
firefly.ai › academy › setting-up-workload-identity-federation-between-github-actions-and-google-cloud-platform
Firefly | Setting Up Workload Identity Federation Between GitHub Actions and Google Cloud Platform
Now, when a Google GitHub Actions workflow runs, it first requests an identity token from GitHub’s OpenID Connect (OIDC) provider. This token includes metadata such as the repository name, workflow details, and the trigger event. GitHub then signs the token to ensure its integrity before providing it to the workflow. Once the workflow receives the signed token, it sends it to GCP IAM for authentication.
Medium
mahendranp.medium.com › gcp-workload-identity-federation-with-github-actions-1d320f62417c
GCP: Enabling keyless authentication from GitHub Actions | by Mahendran | Medium
March 4, 2024 - build: runs-on: ubuntu-latest environment: dev # Fetches the env variables for dev permissions: contents: read id-token: write steps: - name: Checkout actions-oidc-debugger uses: actions/checkout@v3 - id: auth name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: create_credentials_file: true workload_identity_provider: '${{ vars.WORKLOAD_IDENTITY_PROVIDER }}' service_account: '${{ secrets.SERVICE_ACCOUNT }}' - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v2 - name: set credentials file run: >- gcloud auth login --cred-file=${{steps.auth.outputs.credentials_file_path}} - name: Use gcloud CLI run: gcloud info - id: upload-file uses: google-github-actions/upload-cloud-storage@v2 with: path: CHANGELOG.md destination: '${{ vars.GCP_BUCKET }}' process_gcloudignore: false
Auth.js
authjs.dev › getting-started
Auth.js | Getting Started
OAuth authentication (Sign in with Google, GitHub, LinkedIn, etc…)
Reddit
reddit.com › r/googlecloud › github actions: pushing to google cloud artifact registry
r/googlecloud on Reddit: Github Actions: Pushing to Google Cloud Artifact Registry
September 29, 2022 -
Did any of you had any luck building an image with cache using Github Actions workflow?
I'm using this as main.yml
Currently I get this error:
ERROR: (gcloud.auth.docker-helper) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials', '{\\n "error": {\\n "code": 403,\\n "message": "The caller does not have permission",\\n "status": "PERMISSION\_DENIED"\\n }\\n}\\n')
...
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/my-project/locations/us-central1/repositories/test" (or it may not exist)The service account currently have these permissions in IAM:
-
Artifact Registry Reader
-
Cloud Run Developer
-
Service Account User
-
Storage Admin
The Workload Identity Federation permissions in IAM:
-
API Keys Viewer
-
Artifact Registry Reader
-
Cloud Run Viewer
-
Firebase Authentication Admin
-
Firebase Hosting Admin
Any idea what could be the issue? or maybe an example workflow I can use?
Google
docs.cloud.google.com › ruby › client libraries › authentication
Authentication | Ruby client libraries | Google Cloud Documentation
2 weeks ago - The following example shows how to set up authentication for a local development environment with your user credentials.
Better Auth
better-auth.com › docs › basic-usage
Basic Usage | Better Auth
import { authClient } from "@/lib/auth-client"; //import the auth client await authClient.signIn.social({ /** * The social provider ID * @example "github", "google", "apple" */ provider: "github", /** * A URL to redirect after the user authenticates with the provider * @default "/" */ callbackURL: "/dashboard", /** * A URL to redirect if an error occurs during the sign in process */ errorCallbackURL: "/error", /** * A URL to redirect if the user is newly registered */ newUserCallbackURL: "/welcome", /** * disable the automatic redirect to the provider.
GitHub
github.com › fastlane › fastlane › discussions › 19869
Support for google-github-actions/auth · fastlane/fastlane · Discussion #19869
Our Github Actions step to obtain credentials looks like: - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v0' with: create_credentials_file: true project_id: 'REDACTED' service_account: 'REDACTED@REDACTED.iam.gserviceaccount.com' workload_identity_provider: 'projects/REDACTED/locations/global/workloadIdentityPools/REDACTED/providers/REDACTED'
Author fastlane
GitHub
githubstatus.com
GitHub Status
Resolved - On April 1st, 2026 between 14:40 and 17:00 UTC the GitHub code search service had an outage which resulted in users being unable to perform searches. The issue was initially caused by an upgrade to the code search Kafka cluster ZooKeeper instances which caused a loss of quorum.
Medium
medium.com › living-devops › keyless-authentication-to-google-cloud-from-github-actions-with-workload-identity-federation-in-a-fc4fc7527574
Keyless Auth To Google Cloud From GitHub Actions With Workload Identity Federation | by Akhilesh Mishra | Living Devops | Medium
April 11, 2025 - With GitHub’s introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation.
GitHub
docs.github.com › actions › deployment › security-hardening-your-deployments › configuring-openid-connect-in-google-cloud-platform
Configuring OpenID Connect in Google Cloud Platform - GitHub Docs
This action exchanges a GitHub OIDC token for a Google Cloud access token, using Workload Identity Federation. ... # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate ...
Ansible
forum.ansible.com › get help
Gcloud auth login inside playbook - Get Help - Ansible
September 14, 2024 - Hi All, I am trying to run a ansible playbook inside a github workflows, the playbook needs cloud sql proxy to connect to private google cloud sql instance. Below is the snippet of my github workflows pipeline: name: A…
New Releases
newreleases.io › project › github › google-github-actions › auth › release › v2.1.5
google-github-actions/auth v2.1.5 on GitHub
August 21, 2024 - New release google-github-actions/auth version v2.1.5 on GitHub.