How to use Github Actions with Google's Workload Identity Federation

  Рет қаралды 14,152

Google Cloud Tech

Google Cloud Tech

Күн бұрын

Пікірлер: 43
@googlecloudtech
@googlecloudtech Жыл бұрын
Subscribe to Google Cloud Tech → goo.gle/GoogleCloudTech
@barclayiversen376
@barclayiversen376 11 ай бұрын
Excellent video, this was one of the few things chatGPT couldn't clearly explain how to set up.
@TheMomander
@TheMomander 11 ай бұрын
Happy to hear it was useful. Sometimes that human touch is needed.
@timschannel247
@timschannel247 4 ай бұрын
You guys have really good contributions over there, which are very friendly and informative. Especially for example knowing about that information for the exams is really useful. Thank you guys!
@TheMomander
@TheMomander 4 ай бұрын
Happy to hear the video was helpful!
@gb-wj7dg
@gb-wj7dg Жыл бұрын
The documentation on this is kind of lacking. I've tried every variation of setup I can find online and still get a "Permission storage.objects.list denied on resource" error every single time. My service account is properly setup and has the correct permissions/access to my bucket and is connected to my pool. My github secrets are the correct email and provider and they're setup in my workflow file which runs correctly each time. However permission is still denied. I've gone through dozens of stackoverflow and similar threads of people experiencing the same error, tried their solutions and nothing. Pretty frustrating experience when all I'm trying to do is read a couple of CSV files for an app so I don't have to manually download and push them once a week
@TheMomander
@TheMomander Жыл бұрын
Sorry to hear you're getting error messages. I sometimes run into similar errors, especially with Cloud Storage. The strategy that has worked best for me is to temporarily make the service account "Editor" of the project, make sure it works, and then dial back the permissions.
@gb-wj7dg
@gb-wj7dg Жыл бұрын
@@TheMomander thanks for the tip, hadn't seen this specfic role recommended. unfortunately this still produced the same error
@TheMomander
@TheMomander Жыл бұрын
@@gb-wj7dg Sorry to hear it didn't work. Well, at least we know it's not something wrong with the permissions of the service account. If I were you, I'd ask the Google Cloud sub-reddit next. I have seen developers discuss WIF there before.
@gb-wj7dg
@gb-wj7dg Жыл бұрын
@@TheMomander ok thank you, I'll try my luck there
@SaikumarN1993
@SaikumarN1993 15 күн бұрын
I was in the same boat the last couple of days. It is really not clear
@princejeetsingh3984
@princejeetsingh3984 Жыл бұрын
Does the "workload identity provider ID" and "service account" have to be a secret? Can they just be plain text? Would be nice to know the security impications of that? Thanks for the video :)
@lukapuka1296
@lukapuka1296 Жыл бұрын
While they both aren't considered nor contain "secrets" (as in an attacker acquiring them wouldn't be able to do anything in the immediate) my recommendation would still be to treat them sensitively. Both the "workload identity provider id" with project number & the pool id for the given project and SA email itself I would say are sensitive pieces of information.
@lukapuka1296
@lukapuka1296 Жыл бұрын
Great questions btw!
@princejeetsingh3984
@princejeetsingh3984 Жыл бұрын
Thank you :)
@patricknelson
@patricknelson Ай бұрын
​@@lukapuka1296 I think in a public repository, it's probably best to abstract them to variables, but for the purpose of variability and easily cycled out by others who may use the app in conjunction with WIF. However, in a private repository, or more specifically in situations where they will rarely change, these things are perfectly fine to commit and in fact can _benefit_ from visibility in the git commit log. In this case, I see no benefit from a _security_ perspective aside from "security through obscurity," (to be blunt 😅) since knowing the service account that the application is impersonating or which WIF pool it's using shouldn't matter at all unless you can get your code to run in the workload that is being authenticated. That is, it can only be used in the context of the workload itself, (like if you already had push/merge access where your action or pipeline runs), at which point those variables are now exposed anyway. It's authenticating the _workload_ and if your workload is compromised, your secrets are already compromised. That's the beauty of WIF, since it helps to reduce the need for (or even get rid of) secrets at the workload level.
@vinayakumarbendi4145
@vinayakumarbendi4145 10 ай бұрын
@googlecloudtech Is it possible to access Google Cloud assets in one account from another Google Cloud account (belonging to another organisation)? For this use case, when creating a workload identity pool can OIDC be used? If OIDC can be used, what values to use as Provider ID and Issuer (URL) in case of Google Cloud?
@ashotmnatsakanyan1784
@ashotmnatsakanyan1784 10 ай бұрын
Can you make a video on publishing the npm package to the Google Artifact repository? Also, this video is a little bit outdated, and Google documentation is only for the lawyer not for developers. Can you point to the relevant video?
@ravichanderkt326
@ravichanderkt326 Жыл бұрын
Thanks for the wonderful session, it really starts my monday with new learning, will be waiting for more security focused videos.
@TheMomander
@TheMomander Жыл бұрын
Happy to hear that! I agree with you that security is important.
@RFsalman
@RFsalman 6 ай бұрын
The UI shown here is different from the current one, In the grant access with service account impersonation menu, i need to fill in: Select principals (identities that can access the service account): attribute name: ... attribute value:... What should i fill this with ?
@bornok1040
@bornok1040 Жыл бұрын
Can Google's Workload Identity Federation be used if I want my back-end application which is running outside the Google Cloud to access Google APIs such as Calendar API? If not, what's the best solution for doing this in production environment? I don't want to use Service access key.
@lukapuka1296
@lukapuka1296 Жыл бұрын
I typically see Workload Identity Federation used to authenticate workloads looking to access GCP services (not necessarily RESTful API's directly) without storing long lived keys. A close example might be your back-end application (with the assumption that it supports OIDC) using WIF to authenticate to/invoke a private Cloud Run Service (which in theory could have an endpoint deployed to access the Workspace Calendar API).
@sabinadhikari2643
@sabinadhikari2643 7 ай бұрын
Now the UI has changed and there are many other options that we need to fill to Grant Access. Please make a video on that
@netroxtechnologies1268
@netroxtechnologies1268 Жыл бұрын
Beautiful presentation Martin and Luka, how can i get the previous video on service account key?
@TheMomander
@TheMomander Жыл бұрын
Happy to hear you found the video useful. To find the other video, do a KZbin search for "How to deploy Cloud Run services with GitHub Actions".
@sujayjha2690
@sujayjha2690 Жыл бұрын
I am using terraform module in one repository in github and manifest in another repository. When try to run terraform it is unable to authorize module. How can we achieve this with workload identity federation?
@lukapuka1296
@lukapuka1296 Жыл бұрын
I'm not entirely sure I follow the scenario. A few questions I have; How is the terraform module in repo one being used, within a GitHub Actions Workflow file? And how does the manifest in the other repository relate?
@rajenderprasad1193
@rajenderprasad1193 2 ай бұрын
How this will work in reusable workflow repo. I have a repo CICD and configured with WIF. Then I am calling this reusable workflows from other repos which are not configured with WIF. I am getting 403 permissions denied error. Is this even possible??
@peterjkirubagaran
@peterjkirubagaran 6 ай бұрын
is there a document to go through all the provider mapping options?
@TheMomander
@TheMomander 6 ай бұрын
I don't fully understand your question, but if you search for "google cloud workload identity federation" you will get some pretty good results. Do those docs have what you need? If not, please elaborate on what you are looking for and I will try to find it.
@SaikumarN1993
@SaikumarN1993 15 күн бұрын
I suspect his question would be a deeper delivery into the attribute mappings and conditions what they are and how it correlates to the OIDC provider like GitHub samples to better implement it
@peterjkirubagaran
@peterjkirubagaran 15 күн бұрын
@@SaikumarN1993 Exactly... I m unable to find proper doc, what are the parameters can be used for mappings and conditions?
@lokeshmirchi6477
@lokeshmirchi6477 Жыл бұрын
Can we use the WIF approach for Firebase services, such as deploying Firebase Hosting and Firebase functions with GitHub Actions?
@TheMomander
@TheMomander Жыл бұрын
Sorry, I don't believe that's possible yet.
@KanishkaHalder-f8k
@KanishkaHalder-f8k 4 ай бұрын
Great stuff. Would be great if you guys could link the mentioned documentation here for reference. 🥂
@PreciousIbeagi
@PreciousIbeagi Жыл бұрын
When i try to grant access to service account, the option for "All identites in the pool" under select principal is not there.
@lukapuka1296
@lukapuka1296 Жыл бұрын
If you are getting that display it means that when attributes are setup in the Provider setup (ie. attribute.repository), you'll need to select that given attribute and input the matching value (from the GitHub OIDC token) that you'd expect. So if I select the "repository" attribute and the value I input is "MyUser/MyRepo" in the Grant Access step, impersonation will only be successful if the OIDC token exchanged in the GitHub Actions workflow contains that repository value. Essentially this step ensures that only identities with a certain value can authenticate.
@oscarantoniosanchezpena7903
@oscarantoniosanchezpena7903 Жыл бұрын
Excelente, de mucha ayuda
@mazenkhiami9116
@mazenkhiami9116 Ай бұрын
Sounds like Google Engineers played a game to pick only wrong names and ended up with WIF. Good video though
@andresaguilar3996
@andresaguilar3996 9 ай бұрын
outdated
@BristlyBright
@BristlyBright 4 ай бұрын
Good information but way to scripted and cringe to watch. Use your own words and trust the knowledge of the persons talking instead of scripting every word that is said. It is a pain to watch.
Cloud Run user auth for internal apps
15:31
Google Cloud Tech
Рет қаралды 20 М.
UFC 310 : Рахмонов VS Мачадо Гэрри
05:00
Setanta Sports UFC
Рет қаралды 1,1 МЛН
What is Cloud IAM?
9:44
Google Cloud Tech
Рет қаралды 12 М.
Why You NEED To Ditch Service Account Keys NOW
31:08
Chuka Ofili
Рет қаралды 292
Github Actions CI/CD - Everything you need to know to get started
12:21
How to deploy Cloud Run services with GitHub Actions
10:57
Google Cloud Tech
Рет қаралды 23 М.
Service Accounts in Google Cloud - IAM in GCP.
18:49
Cloud Advocate
Рет қаралды 54 М.