This repository demonstrates two different approaches for authenticating GitHub Actions workflows with Google Cloud Platform (GCP), highlighting the security and operational differences between traditional service account key authentication and modern Workload Identity Federation.
File: .github/workflows/default-login.yml
Method: Uses long-lived service account JSON keys stored as GitHub secrets.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
project_id: ${{ secrets.GCP_PROJECT_ID }}File: .github/workflows/sre-day-demo-wif.yml
Method: Uses short-lived tokens through OpenID Connect (OIDC) without storing long-lived credentials.
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.GCP_WFI_PROVIDER }}
service_account: ${{ vars.GCP_WFI_SERVICE_ACCOUNT }}| Aspect | Service Account Keys | Workload Identity Federation |
|---|---|---|
| Security | ❌ Long-lived credentials at risk | ✅ Short-lived tokens (ephemeral) |
| Key Management | ❌ Manual rotation required | ✅ Automatic token generation |
| Secret Storage | ❌ JSON keys in GitHub Secrets | ✅ No sensitive data stored |
| Compromise Risk | ❌ High (permanent access if leaked) | ✅ Low (time-bounded access) |
| Setup Complexity | ✅ Simple initial setup | |
| Compliance | ❌ Less compliant with zero-trust | ✅ Zero-trust security model |
- No long-lived secrets: Eliminates the risk of credential leakage
- Time-bounded access: Tokens automatically expire
- Principle of least privilege: Fine-grained access control
- Audit trail: Better logging and monitoring capabilities
- No key rotation: Eliminates manual credential management
- Simplified secrets management: Fewer sensitive values to store
- Enhanced compliance: Meets modern security standards
- Reduced attack surface: No persistent credentials to compromise
# GitHub Secrets needed:
GCP_SA_KEY # Service account JSON key
GCP_PROJECT_ID # GCP project identifier# GitHub Variables needed:
GCP_WFI_PROVIDER # Workload Identity Provider resource name
GCP_WFI_SERVICE_ACCOUNT # Service account email
# GCP Configuration:
# 1. Workload Identity Pool
# 2. Workload Identity Provider (GitHub OIDC)
# 3. Service Account with WIF bindingBoth workflows are configured to trigger on:
- Push events to any branch
- Production environment (WIF workflow only)
Both workflows require minimal GitHub permissions:
permissions:
contents: read # Read repository contents
id-token: write # Generate OIDC tokens (essential for WIF)- Assess current usage: Identify all workflows using service account keys
- Set up Workload Identity Federation: Configure GCP resources
- Update workflows: Replace credential-based auth with WIF
- Test thoroughly: Validate authentication in non-production first
- Remove old secrets: Clean up service account keys from GitHub Secrets
Both workflows include verification commands to confirm successful authentication:
gcloud auth list # Show authenticated accounts
gcloud config get-value project # Display current project- WIF Setup: Requires proper configuration of Workload Identity Pool and Provider in GCP
- Environment Gates: WIF workflow uses production environment for additional security
- Token Scope: WIF tokens are automatically scoped to the configured service account permissions
- Backward Compatibility: Legacy method remains functional but is not recommended for new implementations
- Use Workload Identity Federation for all new workflows
- Migrate existing workflows from service account keys
- Implement environment protection rules for production workflows
- Monitor and audit authentication events regularly
- Follow principle of least privilege for service account permissions
This demo showcases the evolution from traditional credential-based authentication to modern, secure, and zero-trust authentication patterns in cloud-native CI/CD pipelines.