Add support for Direct Workload Identity auth #348
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
sethvargo
force-pushed
the
sethvargo/direct_wif
branch
3 times, most recently
from
e0bae7c
to
d605844
Compare
This is already applied, even though google-github-actions/auth#348 isn't merged. We should probably merge this since it isn't introducing something net new.
sethvargo
force-pushed
the
sethvargo/direct_wif
branch
from
d605844
to
a4e714a
Compare
sethvargo
force-pushed
the
sethvargo/direct_wif
branch
19 times, most recently
from
352bdd6
to
3d8df9f
Compare
sethvargo
force-pushed
the
sethvargo/direct_wif
branch
7 times, most recently
from
77d08a5
to
cecd853
Compare
This adds a new authentication mode, Direct Workload Identity Federation. This new mode permits authenticating to Google Cloud directly using the GitHub Actions OIDC token instead of proxying through a Google Cloud Service Account.
sethvargo
force-pushed
the
sethvargo/direct_wif
branch
from
cecd853
to
1daa3db
Compare
| @@ -0,0 +1,122 @@ | |||
| // Copyright 2023 Google LLC | |||
There was a problem hiding this comment.
Will move this to actions-utils after it's been battle-tested
## What's Changed * Add support for Direct Workload Identity auth by @sethvargo in #348 * Add protection for release branches by @sethvargo in #351 * Make auth universe-aware by @sethvargo in #352 * Fix some examples to include project_id by @sethvargo in #353 **Full Changelog**: v1.2.0...0a2edc1
|
Is there further reading here? The direct vs service princiapl distinction isn't mentioned anywhere I've seen |
|
It's a new feature and it seems to be mostly undocumented at the moment. It is implied by the documentation here: https://cloud.google.com/iam/docs/principal-identifiers#v1\ Effectively, it is now possible to authorize a workload/workforce identity pool principal directly, without the need to impersonate a service account. It is broadly supported across GCP products, but not yet completely, which may explain the lack of documentation at the moment. |
I am currently seeking clarification regarding the specific Google Cloud resources that do not support principalSet identities. Unfortunately, I have not been able to find detailed information on this topic in the official Google Cloud documentation. |
|
After this PR, this bit in the README is misleading/incomplete:
This makes it seem like if you specify |
|
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google-github-actions/auth](https://togithub.com/google-github-actions/auth) | action | major | `v1.3.0` -> `v2.0.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>google-github-actions/auth (google-github-actions/auth)</summary> ### [`v2.0.0`](https://togithub.com/google-github-actions/auth/releases/tag/v2.0.0) [Compare Source](https://togithub.com/google-github-actions/auth/compare/v1.3.0...v2.0.0) **⚠️ This version requires Node 20 or later on the runner!** If you are using GitHub-managed runners, no action is needed. If you are using self-hosted runners, make sure the system version of Node is version 20 or higher. ##### What's Changed - Add support for Direct Workload Identity auth by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#348 - Add protection for release branches by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#351 - Make auth universe-aware by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#352 - Fix some examples to include project_id by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#353 - Release: v2.0.0 by [@​google-github-actions-bot](https://togithub.com/google-github-actions-bot) in [google-github-actions/auth#355 **Full Changelog**: google-github-actions/auth@v1...v2.0.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/parca-dev/parca-agent). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44Ny4yIiwidXBkYXRlZEluVmVyIjoiMzcuODcuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
](https://renovatebot.com){kind=link}
This adds a new authentication mode, Direct Workload Identity Federation. This new mode permits authenticating to Google Cloud directly using the GitHub Actions OIDC token instead of proxying through a Google Cloud Service Account.