Skip to main content

GCP OIDC

Follow these steps to authenticate against GCP

1. Create a new GCP Service Account

A service account is used to creat your cloud resources.

Create Service Account

1. Navigate to Service Accounts in the GCP console

2. Select an existing project or the one you created in the previous step

3. Click CREATE SERVICE ACCOUNT

4. Service account name: terrateam

5. Click CREATE AND CONTINUE

6. Grant this service account access to project Select a role

Choose Project Editor

Project Editor is a predefined GCP IAM role.

Permissions for this role include view, create, update, and delete for most Google Cloud resources.

This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

7. Click DONE

2. GCP Identity Federation Setup

Configure GCP to allow GitHub Actions to communicate with it using OpenID Connect.

See official GitHub documentation for detailed instructions

Details

1. Navigate to Workload Identity Pools in the GCP console

2. Select GET STARTED

3. Create an identity pool

Name: Terrateam

Pool ID: terrateam

4. Select CONTINUE

5. Add a provider to pool

Select a provider: OpenID Connect (OIDC)

Provider details: Terrateam

Provider ID: terrateam

Issuer (URL): https://token.actions.githubusercontent.com

6. Select CONTINUE

7. Configure provider attributes

google.subject: assertion.sub

attribute.actor: assertion.actor

attribute.aud: assertion.aud

8. Select SAVE

9. Select the Terrateam workload identity pool

10. Select GRANT ACCESS

11. Select service account

Service account: Terrateam

12. Configure your application DISMISS

3. Modify the Terrateam GitHub Workflow File

The GitHub workflow file is required to execute the Terrateam GitHub Action.

This file must exist in your Terraform repository default branch in .github/workflows/terrateam.yml

Workflow File
info

💡 OIDC configuration requires attention to detail. Please carefully review the instructions below.

Navigate to the GCP Console and note your Project number and Project ID. These values are different!

Replace the following in the file below:

  • workload_identity_provider

projects/YOUR-PROJECT-NUMBER/locations/global/workloadIdentityPools/terrateam/providers/terrateam

  • service_account

terrateam@YOUR-PROJECT-ID.iam.gserviceaccount.com

  • project_id

YOUR-PROJECT-ID

##########################################################################
# DO NOT MODIFY
#
# THIS FILE SHOULD LIVE IN .github/workflows/terrateam.yml
#
# Looking for the Terrateam configuration file? .terrateam/config.yml.
#
# See https://docs.terrateam.io/configuration/overview for details
##########################################################################
name: 'Terrateam Workflow'
on:
workflow_dispatch:
inputs:
# The work-token is automatically passed in by the Terrateam backend
work-token:
description: 'Work Token'
required: true
api-base-url:
description: 'API Base URL'
jobs:
terrateam:
permissions: # Required to pass credentials to the Terrateam action
id-token: write
contents: read
runs-on: ubuntu-latest
name: Terrateam Action
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
create_credentials_file: 'true'
workload_identity_provider: 'projects/<project-number>/locations/global/workloadIdentityPools/terrateam/providers/terrateam'
service_account: 'terrateam@<project-id>.iam.gserviceaccount.com'
project_id: '<project-id>'
- name: Run Terrateam Action
id: terrateam
uses: terrateamio/action@v1 # Do not replace with a custom image. Doing so may cause Terrateam to not operate as intended.
with:
work-token: '${{ github.event.inputs.work-token }}'
api-base-url: '${{ github.event.inputs.api-base-url }}'
env:
SECRETS_CONTEXT: ${{ toJson(secrets) }}

4. GCP Provider Configuration

The official google-github-actions/auth GitHub Action creates short-lived credentials using GitHub's OIDC provider and configures them for use in the Terrateam action.

Details
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
}
}

provider "google" {
project = "<PROJECT_ID>"
region = "us-central1"
zone = "us-central1-c"
}