Skip to content

Workload Identity Federation

Context

GitHub has a CI/CD platform called GitHub actions that allows you to run tasks against your code.

As part of this, sometimes the action may push an object to Google cloud, or build a Container using a base image from our private registry.

All these actions need to be Authenticated in a simple means that doesn't involve having to manage Keys

Technology used

GitHub Actions Google Cloud

Project Breakdown and Solution

Due to a security policy in place that prevents the creation of Google Service Account keys at Org level (Organization policy) we are unable to use Keys as it requires a long-winded process.

I was browsing the Documentation for GitHub and came across their OIDC system, that allows you to basically exchange a key from github with Google cloud to authenticate based off of claims

I set up Workload Identity Federation allowing for Keyless access to our GCP environment based off of:

  • What branch the workflow runs from, depicts what access it has (Conditional access)
  • Sensitive provider, enforcing authentication only on main branch

By configuring this, it prevents key theft for anyone who has access to the repo, can change a CI job to make a web request to a server they own with the long-lived credentials.

On the backend there is a terraform module that creates the service accounts and IAM membership allowing them to authenticate against the Workload Identity Federation provider

What I did

  • Identified the issue
  • Found a solution
  • Built out and rolled out the solution
  • Supported Developers in migrating to new system
  • Build a reusable workflow for devs to use in their pipelines for easier authentication