# Establish a Secure Connection between GitHub Actions and Google Cloud Platform (GCP) using Workload Identity Federation.

GitHub Actions makes it easy to automate your software development workflows, including building, testing, and deploying your applications to various environments. When deploying to Google Cloud Platform (GCP), you typically need to authenticate with GCP using a service account key. However, managing and rotating these keys can be cumbersome and pose a security risk if the keys are accidentally exposed.

Workload Identity Federation is a feature in GCP that allows you to securely authenticate to GCP services without needing to manage service account keys. Instead, you can use a Google Cloud identity (such as a service account) to grant access to your GitHub Actions workflow, and GCP will automatically authenticate the workflow based on the configured identity.

Here's how to set it up:

1. **Create Workload Identity Federation Pool and Provider in GCP**
    
    * Go to the [IAM & Admin](https://console.cloud.google.com/iam-admin) section and click on [Workload Identity Federation](https://console.cloud.google.com/iam-admin/workload-identity-pools) in the GCP Console and click on "**CREATE POOL**".
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715535430691/1e6a17c6-91af-424e-9187-f69af6a87f02.png align="center")
        
    * Create an identity pool: Specify the required information and click on "**CONTINUE**"
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715535462414/b83a912a-aa28-4d82-a94f-fa4f705bccc8.png align="center")
        
    * Add a provider to pool: select `OpenID Connect (OIDC)` in **Select a provider** and add `https://token.actions.githubusercontent.com` in **Issuer (URL)**
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715535763974/917849ea-874d-40e7-b896-5cd550b03a9d.png align="center")
        
    * **Configure provider attributes** as like this:
        
        ```yaml
        google.subject = assertion.sub
        attribute.repository = assertion.repository
        ```
        
    * Save the pool andprovider
        
        ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715536017307/12ae8424-52cb-454b-91d9-b729010d5078.png align="center")
        
2. **Create a Google Cloud service account**
    

* Go to the [Service Accounts section](https://console.cloud.google.com/iam-admin/serviceaccounts) in the GCP Console.
    
* Click "**Create Service Account.**"
    
* Provide a name for the service account (e.g., "github-actions-sa").
    
* Optionally, you can add a description.
    
* Click "**Create and Continue.**"
    
* On the next screen, skip granting roles for now, and click "**Done**."
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715536254528/77eab40d-fbbb-4eb4-9a99-7c84dcad2029.png align="center")
    

3. **Grant required role to Google Cloud service account**
    
    ```yaml
    roles/iam.workloadIdentityUser
    
    # And Add Annother Role your need to specific task, eg:
    roles/artifactregistry.writer
    ```
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715536443745/d595d3b5-2623-4a30-a5c6-a7541b4a4293.png align="center")
    
    Click on "**DONE**"
    
4. **Update**[Workload Identity Federation](https://console.cloud.google.com/iam-admin/workload-identity-pools) to add service [github-actions-sa@&lt;project\_id&gt;.iam.gserviceaccount.com](mailto:github-actions-sa@hand-on-lab-404211.iam.gserviceaccount.com)
    
    Click on GitHub Actions Display Name
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715536789356/be8b5ac4-da9d-4a46-9b79-aaf81ea9f576.png align="center")
    
    And Click **Grant Access**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715536957930/e126d8fc-e892-4dab-abd9-70d706dc261c.png align="center")
    
    Add your SA email
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715537138569/bc5664b8-12e0-487e-8cfa-4c8f52fba293.png align="center")
    
    Add your GitHub Repository like this: `github_account/github_repository` and Click on "**SAVE**" in the popup page, click on **DISMISS**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715537251607/c65c6a66-8443-401f-85ff-d7ac961ba7e2.png align="center")
    
    Your provider **CONNECTED SERVICE ACCOUNTS** should look like this
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715537654080/6eec0b47-4345-45dc-a580-e6644f26f0c2.png align="center")
    
5. **Use Workload Identity Federation in your GitHub Actions workflow**
    
    Copy Pool ID and Provider ID in [Workload Identity Federation](https://console.cloud.google.com/iam-admin/workload-identity-pools) in this case is `github-actions` and `github-actions-provide`r
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715537826490/99198a17-15af-4aac-872d-9fa15e7f80b3.png align="center")
    

* In your GitHub repository, create a new workflow file (e.g., `.github/workflows/upload.yml`).
    
* In the workflow file, add the following step to authenticate with GCP using Workload Identity Federation: change `<GCP_PROJECT_NUMBER>` and `<GCP_PROJECT_ID>`
    
    ```yaml
          - id: 'auth'
            name: 'Authenticate Google Cloud'
            uses: 'google-github-actions/auth@v1'
            with:
              create_credentials_file: true
              workload_identity_provider: 'projects/<GCP_PROJECT_NUMBER>/locations/global/workloadIdentityPools/github-actions/providers/github-actions-provider'
              service_account: 'github-actions-sa@$<GCP_PROJECT_ID>.iam.gserviceaccount.com'
    ```
    
    Replace the `workload_identity_provider` value with the one you configured in step 3, and the `service_account` value with the email address of the service account you created in step 2.
    
* After the authentication step, you can use the authenticated context to interact with GCP services, such as deploying to Cloud Run, uploading files to Cloud Storage, or running commands on Compute Engine instances
    

**Full code exemple:** [https://github.com/devsahamerlin/employees-managements-api](https://github.com/devsahamerlin/employees-managements-api)

**Congratulations**! By using Workload Identity Federation, you no longer need to manage and rotate service account keys manually. GCP will automatically authenticate your GitHub Actions workflow based on the configured identity, providing a more secure and convenient way to authenticate to GCP services.

**Note** that, this is a high-level overview of the process, and you may need to adjust the configuration based on your specific requirements and GCP project setup.
