GitHub OIDC and Google Identity Federation
Vložit
- čas přidán 19. 07. 2024
- GitHub Action Here → • Multiple GCP Service A...
In this previous tutorial • GitHub Workflow and Wo... I go through many concepts in less 8 minutes. Even though everything is defined as code, I have to admit that it's probably too much for just 8 minutes. So in today's video I decided to proceed with a less scripted approach so that I can show all steps, please bear with me if it's a slower paced video.
Links:
Google STS API token method: cloud.google.com/iam/docs/ref...
Google iamcredentials API generateAccessToken method: cloud.google.com/iam/docs/ref...
Google Principal Identifiers: cloud.google.com/iam/docs/pri...
GitHub OIDC Hardening: docs.github.com/en/actions/de...
GitHub OIDC and configuration in Google Cloud: docs.github.com/en/actions/de...
GitHub Subject claim examples: docs.github.com/en/actions/de...
WHO AM I:
Hey friends, welcome to my CZcams channel / outofdevops . If you're new here my name is Anto, here I talk about software engineering and software engineers. Don't forget to comment like and subscribe 👍🏻.
CZcams GEAR:
🎥 My CZcams Camera Gear - kit.co/outofdevops
MY SOCIAL LINKs:
🐦 Twitter - / outofdevops
📘 Facebook - / outofdevops
📰 My blog - amasucci.com
📸 Instagram - / outofdevops
GET IN TOUCH:
If you’d like to talk, I’d love to hear from you. Tweeting @OutOfDevOps directly will be the quickest way to get a response, but if your question is very long, feel free to email me at hi@OutOfDevOps.com.
PS: Some of the links in this description are affiliate links that I get a kickback from 😜
I made another video using the google-github-action/auth
czcams.com/video/9e_ByRt_nCc/video.html
This has been extremely useful. I am using this knowledge to put together a PoC to solve an important problem at work. The quality of production is amazing. Thank you Anto!
Glad you found it useful. Thank you so much!!!
Amazing! Thanks !
❤
Hello, I need to use this workload identity on any of my github org repos, how can i allow only my github org repos to use this workload identity while other repos outside of it should not be able to access it
Hi Gokul, I made another video where I use the Google Auth GitHub action here:
czcams.com/video/9e_ByRt_nCc/video.html
I recommend to watch the entire video but in part four I show the configuration on the Google side, the bit you are interested in is where I use the workflow_ref. You can also use other claims from the token as documented here docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token, the one specific for the GitHub org is repository_owner.
Hope this helps.
@@OutOfDevOps Thank you so much
i tried follow your instruction, configuring attribute mapping, but I still get the error: my SA doesn't have permission.
I made another video using the google-github-action/auth
czcams.com/video/9e_ByRt_nCc/video.html hope it helps
Hi, can you make a video on implementing the kubernetes with workload identity pls ?
Hi Gokul, I will work on it soon. Thanks for the suggestion.
Just published this: GKE Workload Identity Example: Use Workload Identity in GKE to fetch data from Google Cloud Storage.
czcams.com/video/cEPP33ScM3s/video.html
Hi does this service account also needs role as Service Account Token Creator? test-wif-sa