You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Workload Identity Federation (WIF) allows external workloads — running on AWS, Azure, GitHub Actions, GitLab CI, or any OIDC/SAML-compliant identity provider — to access GCP resources without service account keys. This is one of the most important security features for multi-cloud and CI/CD pipelines.
Without WIF, external workloads must authenticate using service account keys (JSON files):
Traditional approach (AVOID):
1. Create GCP service account
2. Download JSON key file
3. Store key in GitHub Secrets / AWS Secrets Manager / etc.
4. Application uses key to authenticate to GCP
Problems:
- Key files can leak (git commits, logs, screenshots)
- Keys do not expire by default
- Difficult to rotate across many systems
- No fine-grained audit trail of who used the key
With WIF:
WIF approach (RECOMMENDED):
1. Create GCP service account
2. Create a workload identity pool and provider
3. Map external identity to GCP service account
4. External workload exchanges its native token for a GCP token
5. No key file exists — nothing to leak
External Workload (e.g., GitHub Actions)
│
│ 1. Obtains an OIDC token from the external IdP
▼
GCP Security Token Service (STS)
│
│ 2. Validates the token against the workload identity pool
│ 3. Exchanges it for a short-lived GCP access token
▼
GCP Service Account
│
│ 4. The workload impersonates the GCP SA
▼
GCP Resources (Cloud Storage, BigQuery, etc.)
| Component | Purpose |
|---|---|
| Workload Identity Pool | A container for external identity providers |
| Workload Identity Provider | Configuration for a specific IdP (AWS, GitHub, Azure, etc.) |
| Attribute Mapping | Maps external identity claims to GCP attributes |
| Attribute Conditions | Filters which external identities can authenticate |
| Service Account Impersonation | Links the external identity to a GCP service account |
gcloud iam workload-identity-pools create github-pool \
--location="global" \
--display-name="GitHub Actions Pool" \
--description="Pool for GitHub Actions OIDC tokens"
gcloud iam workload-identity-pools providers create-oidc github-provider \
--location="global" \
--workload-identity-pool="github-pool" \
--display-name="GitHub Provider" \
--issuer-uri="https://token.actions.githubusercontent.com" \
--attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.actor=assertion.actor" \
--attribute-condition="assertion.repository_owner == 'my-org'"
gcloud iam service-accounts add-iam-policy-binding \
deploy-sa@my-project.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/attribute.repository/my-org/my-repo"
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read
steps:
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
service_account: 'deploy-sa@my-project.iam.gserviceaccount.com'
- uses: google-github-actions/setup-gcloud@v2
- run: gcloud storage ls
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.