Skip to content

Commit

Permalink
Merge pull request #112 from dineshba/workload-identity-gcr-gar
Browse files Browse the repository at this point in the history
Update readme with workload identity based authentication for GCR and GAR
  • Loading branch information
crazy-max authored Feb 3, 2022
2 parents 7948fff + a875dd0 commit 17f28ab
Showing 1 changed file with 92 additions and 12 deletions.
104 changes: 92 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ name: ci

on:
push:
branches: master
branches: main

jobs:
login:
Expand All @@ -64,7 +64,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand Down Expand Up @@ -92,7 +92,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand All @@ -118,7 +118,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand All @@ -142,6 +142,45 @@ jobs:
> Google Container Registry, use the information [on this page](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
> to learn about transitioning to Google Artifact Registry.

You can use either workload identity federation based keyless authentication or service account based authentication.

#### Workload identity federation based authentication

Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GCR. Then use google-github-actions/auth action for authentication using workload identity like below:

```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: '<workload_identity_provider>'
service_account: '<service_account>'
- name: Login to GCR
uses: docker/login-action@v1
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
```

> Replace `<workload_identity_provider>` with configured workload identity provider. For steps to configure, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation).

> Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR

#### Service account based authentication

Use a service account with the ability to push to GCR and [configure access control](https://cloud.google.com/container-registry/docs/access-control).
Then create and download the JSON key for this service account and save content of `.json` file
[as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
Expand All @@ -153,7 +192,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand All @@ -170,6 +209,47 @@ jobs:

### Google Artifact Registry (GAR)

You can use either workload identity federation based keyless authentication or service account based authentication.

#### Workload identity federation based authentication

Configure the workload identity federation for github actions in gcloud (for steps, [refer here](https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)). In the steps, your service account should the ability to push to GAR. Then use google-github-actions/auth action for authentication using workload identity like below:

```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: '<workload_identity_provider>'
service_account: '<service_account>'
- name: Login to GAR
uses: docker/login-action@v1
with:
registry: <location>-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
```
> Replace `<workload_identity_provider>` with configured workload identity provider

> Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR

> Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
> of the repository where the image is stored.

#### Service account based authentication

Use a service account with the ability to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control).
Then create and download the JSON key for this service account and save content of `.json` file
[as a secret](https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#creating-encrypted-secrets-for-a-repository)
Expand All @@ -181,7 +261,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand Down Expand Up @@ -210,7 +290,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand All @@ -233,7 +313,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand All @@ -260,7 +340,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand Down Expand Up @@ -293,7 +373,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand Down Expand Up @@ -327,7 +407,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand All @@ -353,7 +433,7 @@ name: ci
on:
push:
branches: master
branches: main
jobs:
login:
Expand Down

0 comments on commit 17f28ab

Please sign in to comment.