New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Direct Workload Identity auth #348
Conversation
e0bae7c
to
d605844
Compare
This is already applied, even though google-github-actions/auth#348 isn't merged. We should probably merge this since it isn't introducing something net new.
d605844
to
a4e714a
Compare
352bdd6
to
3d8df9f
Compare
77d08a5
to
cecd853
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment about missing output documentation for auth_token
This adds a new authentication mode, Direct Workload Identity Federation. This new mode permits authenticating to Google Cloud directly using the GitHub Actions OIDC token instead of proxying through a Google Cloud Service Account.
cecd853
to
1daa3db
Compare
@@ -0,0 +1,122 @@ | |||
// Copyright 2023 Google LLC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will move this to actions-utils after it's been battle-tested
## What's Changed * Add support for Direct Workload Identity auth by @sethvargo in #348 * Add protection for release branches by @sethvargo in #351 * Make auth universe-aware by @sethvargo in #352 * Fix some examples to include project_id by @sethvargo in #353 **Full Changelog**: v1.2.0...0a2edc1
Is there further reading here? The direct vs service princiapl distinction isn't mentioned anywhere I've seen |
It's a new feature and it seems to be mostly undocumented at the moment. It is implied by the documentation here: https://cloud.google.com/iam/docs/principal-identifiers#v1\ Effectively, it is now possible to authorize a workload/workforce identity pool principal directly, without the need to impersonate a service account. It is broadly supported across GCP products, but not yet completely, which may explain the lack of documentation at the moment. |
I am currently seeking clarification regarding the specific Google Cloud resources that do not support principalSet identities. Unfortunately, I have not been able to find detailed information on this topic in the official Google Cloud documentation. |
After this PR, this bit in the README is misleading/incomplete:
This makes it seem like if you specify |
|
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google-github-actions/auth](https://togithub.com/google-github-actions/auth) | action | major | `v1.3.0` -> `v2.0.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>google-github-actions/auth (google-github-actions/auth)</summary> ### [`v2.0.0`](https://togithub.com/google-github-actions/auth/releases/tag/v2.0.0) [Compare Source](https://togithub.com/google-github-actions/auth/compare/v1.3.0...v2.0.0) **⚠️ This version requires Node 20 or later on the runner!** If you are using GitHub-managed runners, no action is needed. If you are using self-hosted runners, make sure the system version of Node is version 20 or higher. ##### What's Changed - Add support for Direct Workload Identity auth by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#348 - Add protection for release branches by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#351 - Make auth universe-aware by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#352 - Fix some examples to include project_id by [@​sethvargo](https://togithub.com/sethvargo) in [google-github-actions/auth#353 - Release: v2.0.0 by [@​google-github-actions-bot](https://togithub.com/google-github-actions-bot) in [google-github-actions/auth#355 **Full Changelog**: google-github-actions/auth@v1...v2.0.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/parca-dev/parca-agent). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44Ny4yIiwidXBkYXRlZEluVmVyIjoiMzcuODcuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
This adds a new authentication mode, Direct Workload Identity Federation. This new mode permits authenticating to Google Cloud directly using the GitHub Actions OIDC token instead of proxying through a Google Cloud Service Account.