% gcloud iam service-accounts create gh-oidc-test-user --description="GitHub OIDC test user" --display
-name="gh-oidc-test-user"
Created service account [gh-oidc-test-user].
% gcloud projects add-iam-policy-binding <project-name> --member='serviceAccount:gh-oidc-test-user@<project-name>.iam.gserviceaccount.com' --role='roles/storage.objectViewer'
ためしに GCS のバケット覗けるようにしてみる
Workload Identity 連携の構成 | IAM のドキュメント | Google Cloud
外部 ID プロバイダによって発行された認証情報を使用して、サービス アカウントの権限を借用し、Google Cloud のリソースにアクセスする方法について説明します。このプロセスは Workload Identity 連携と呼ばれます。
Workload Identity 連携の構成 | IAM のドキュメント | Google Cloud
% gcloud iam workload-identity-pools create "gh-oidc" \
--description="GitHub Open ID Connect pool" \
--display-name="gh-oidc-pool" \
--location="global"
Created workload identity pool [gh-oidc].
% gcloud iam workload-identity-pools list --location="global"
---
description: GitHub Open ID Connect pool
displayName: gh-oidc-pool
name: projects/<project-id>/locations/global/workloadIdentityPools/gh-oidc
state: ACTIVE
location は "global" で固定っぽい?
% gcloud iam workload-identity-pools providers create-oidc "gh-oidc-provider" \
--workload-identity-pool="gh-oidc" \
--issuer-uri="<https://token.actions.githubusercontent.com/>" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
--location="global"
# --attribute-condition="CONDITIONS"
Created workload identity pool provider [gh-oidc-provider].
% gcloud iam workload-identity-pools providers list --workload-identity-pool=$(gcloud iam workload-identity-pools describe "gh-oidc" --location="global" --format="value(name)")
attribute-mapping is 何
attribute-condition is 何
% POOL_ID=$(gcloud iam workload-identity-pools describe "gh-oidc" --location="global" --format="value(name)")
% GH_REPO="<github-repo>"
% SA="gh-oidc-test-user@<project-name>.iam.gserviceaccount.com"
% gcloud iam service-accounts add-iam-policy-binding \
"${SA}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${POOL_ID}/attribute.repository/${GH_REPO}"
% gcloud iam service-accounts get-iam-policy "${SA}"
% gcloud iam workload-identity-pools providers describe "gh-oidc-provider" --location="global" --workload-identity-pool="gh-oidc"
attributeMapping:
attribute.actor: assertion.actor
attribute.repository: assertion.repository
google.subject: assertion.sub
name: projects/<project-id>/locations/global/workloadIdentityPools/gh-oidc/providers/gh-oidc-provider
oidc:
issuerUri: <https://token.actions.githubusercontent.com/>
state: ACTIVE
.github/workflow/gcs.yml に以下を書く
name: gcs
on:
push:
workflow_dispatch:
permissions:
contents: 'read'
id-token: 'write'
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v3
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/<project-id>/locations/global/workloadIdentityPools/gh-oidc/providers/gh-oidc-provider'
service_account: 'gh-oidc-test-user@<project-name>.iam.gserviceaccount.com'
- name: GCS ls
run: |
gcloud alpha storage ls 'gs://<sample-bucket-name>/'