Logo

dev-resources.site

for different kinds of informations.

No More Passwords! OIDC Terraform Module Makes GCP-GitHub Authentication a Breeze

Published at
5/1/2024
Categories
terraform
googlecloud
githubactions
oidc
Author
mangadev
Author
8 person written this
mangadev
open
No More Passwords! OIDC Terraform Module Makes GCP-GitHub Authentication a Breeze

Intro

Hello there! Welcome to our guide on automating OpenID Connect (OIDC) using Terraform with Google Cloud Platform (GCP) to grant access to GitHub Actions.

Overview

In this post, we'll explore the seamless integration of OIDC, enabling GitHub Actions workflows to access GCP resources without the need to store long-lived GCP credentials as GitHub secrets.

Prerequisites

Before we begin, ensure you have the following prerequisites:

  • Terraform CLI installed
  • gcloud CLI installed
  • Access to a Google Cloud Platform (GCP) project
  • Access to a GitHub repository

Next Steps

Let's jump into the configuration process to make this integration work seamlessly.

Setting Up Terraform:

Create a Project Folder: Start by creating a folder for your Terraform configuration and navigate into it:

mkdir terraform-oidc
cd terraform-oidc
Enter fullscreen mode Exit fullscreen mode

Set Terraform Variables: Create a file called variables.tf and past the following configuration into it:

variable "project" {
  default = "dev-to-oidc" // replace with your project id
}

variable "credentials_file" {
  default = "~/.config/gcloud/application_default_credentials.json" // replace with your credentials path
}

variable "region" {
  default = "us-central1" // replace with your region
}

variable "zone" {
  default = "us-central1-f" // replace with your zone
}

variable "gh_repo" {
  default = "manganellidev/dev-to-oidc-gcp-tf" // replace with your organization/repository
}
Enter fullscreen mode Exit fullscreen mode

Set Terraform Configuration: Create a file called main.tf and past the following Terraform configuration into it:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "5.27.0"
    }
  }
}

provider "google" {
  credentials = file(var.credentials_file)
  project     = var.project
  region      = var.region
  zone        = var.zone
}

// enable iam credentails api
resource "google_project_service" "iam_credentials_api" {
  project = var.project
  service = "iamcredentials.googleapis.com"
  disable_on_destroy = false
}

// create service account
resource "google_service_account" "oidc_service_account" {
  project      = var.project
  account_id   = "oidc-service-account"
  display_name = "OIDC Service Account"
  description  = "This service account is used for my application to interact with Google Cloud services."
}

// create and configure oidc resources
module "gh_oidc" {
  source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
  project_id  = var.project
  pool_id     = "oidc-pool"
  provider_id = "oidc-gh-provider"
  attribute_mapping = {
    "attribute.repository": "assertion.repository",
    "google.subject": "assertion.sub"
  }
  sa_mapping = {
    "oidc-service-account" = {
      sa_name   = "projects/${var.project}/serviceAccounts/${google_service_account.oidc_service_account.email}"
      attribute = "attribute.repository/${var.gh_repo}"
    }
  }
}

output "service_account_email" {
  value = google_service_account.oidc_service_account.email
}
Enter fullscreen mode Exit fullscreen mode

Initialize Terraform:

terraform init
Enter fullscreen mode Exit fullscreen mode

Login to GCP:

gcloud auth login
Enter fullscreen mode Exit fullscreen mode

Set target GCP project:

# replace dev-to-oidc with your project id
gcloud config set project dev-to-oidc
Enter fullscreen mode Exit fullscreen mode

Apply Terraform:

terraform apply

# Review the changes than type yes + enter
# Copy the service account email from the output in the terminal and save it to be used later (e.g [email protected])
Enter fullscreen mode Exit fullscreen mode

Get Workload Identity Provider:

gcloud iam workload-identity-pools providers list --location="global" --workload-identity-pool="oidc-pool"

# Copy the name value and save it to be used later (e.g projects/123123123123/locations/global/workloadIdentityPools/oidc-pool/providers/oidc-gh-provider)
Enter fullscreen mode Exit fullscreen mode

Setting Up GitHub Actions:

Create Github Workflow:

mkdir .github
mkdir .github/workflows
touch .github/workflows/workflow-test.yml
Enter fullscreen mode Exit fullscreen mode
on:
  workflow_call:

  push:
    branches:
      - "main"

jobs:
  auth-oidc:
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Google Auth
        uses: google-github-actions/auth@v2
        with:
          token_format: access_token
          project_id: dev-to-oidc
          service_account: [email protected] # replace with your service account name
          workload_identity_provider: projects/123123123123/locations/global/workloadIdentityPools/oidc-pool/providers/oidc-gh-provider # replace with your WIF provider name

      - name: "Set up Cloud SDK"
        uses: "google-github-actions/setup-gcloud@v2"

      - name: Use gcloud CLI
        run: |
          gcloud auth list --filter=status:ACTIVE --format="value(account)"
Enter fullscreen mode Exit fullscreen mode

Testing the Integration:

Commit everything and push to Github:
The workflow should start automatically. You can verify my workflow run.

Also, you can clone my Github repository:

git clone https://github.com/mangadev-dev-to/oidc-gcp-tf.git
Enter fullscreen mode Exit fullscreen mode

Conclusion:

With this Terraform module, you can streamline the authentication process between GitHub Actions and Google Cloud Platform, eliminating the need for managing and storing sensitive credentials. Stay tuned for more tips and tricks on optimizing your cloud workflows!


That's it! Happy coding! πŸŽ‰πŸŽ‰πŸŽ‰

oidc Article's
30 articles in total
Favicon
Defending OAuth2: Advanced Tactics to Block Replay Attacks
Favicon
Understanding the Differences Between OAuth2 and OpenID Connect (OIDC)
Favicon
Demystifying Social Logins: How OAuth2 Powers Seamless Authentication
Favicon
OAuth2 vs. OpenID Connect: Understanding the Differences
Favicon
GitHub Action security hardening with OpenID (OIDC) Connect - "Password-Less"
Favicon
OIDC vs SAML: A Comprehensive Technical Comparison
Favicon
OIDC Prompt 101: A simple guide for developers
Favicon
How to create a WeCom App to enable WeCom Login for the Web app
Favicon
No More Passwords! OIDC Terraform Module Makes GCP-GitHub Authentication a Breeze
Favicon
Learn OIDC - Part 2 - JWT
Favicon
Oidc node mongodb adapter in normal functions
Favicon
Learn OIDC - Part 1 - JWS
Favicon
OpenVPN + SSO via OAUTH2
Favicon
Kubernetes Cluster as an OpenID Connect Identity Provider
Favicon
How To Configure Audience In Keycloak
Favicon
Single Sign-On (SSO) with Zoho in Vue3
Favicon
Demystifying OpenID Connect (OIDC) - The Key to Secure and Seamless Authentication
Favicon
Adding single sign-on to a Next.js app using OIDC
Favicon
Implementing OpenID Connect (OIDC) Authentication with Nuxt 3
Favicon
Connect GitHub Actions to Azure using OpenID Connect
Favicon
OpenID Connect authentication with Apache Kafka 3.1
Favicon
Writing Java library to build OAuth 2.0 Authorization Server / OpenID Connect Identity Provider
Favicon
SSO Building blocks - SAML, OAuth 2.0 and OpenID Connect
Favicon
ASP.NET: AutenticaciΓ³n OIDC Multi Tenant - Parte 2
Favicon
Keycloak 19.0.1 and Setting the id_token_hint
Favicon
OIDC Forever, IAM Credentials Never!
Favicon
Fortifying federated access to AWS via OIDC
Favicon
Understanding OAuth and OIDC: Introduction
Favicon
OAuth 2.0 and OpenID Connect Explained: Building Secure Authentication Systems
Favicon
Securely authenticate to Google Cloud from GitHub

Featured ones: