github setting up gcp workload identity to be able to access gcp resources

To setup workload identity to access GCP in github, we need to 

1. create workload identity pool

To go Workload Identity and click on Create Pool. We will name this pool "github-pool" and then we are going to add a provider to it. We going to call this - "github-provider". Please ensure github-provider uses OIDC. 


And then for the attribute mapping we going to configure like this 



So we will have attribute mapping 

"google.subnect" - "assertion.sub'

And then for the attribute condition 

assertion.sub.contains('kepungnzai/gcloud-pipeline')

where kepungnzai is my github organization name and gcloud-pipeline is my repository name.

 Alternatively, you can do it via command line:


export PROJECT_ID=YOUR_PROJECT_ID

export POOL_ID="github-pool"

export PROVIDER_ID="github-provider"

gcloud iam workload-identity-pools create $POOL_ID --location="global" --display-name="GitHub Pool"

Next, create provider

gcloud iam workload-identity-pools providers create-oidc $PROVIDER_ID --location="global" --workload-identity-pool=$POOL_ID --display-name="GitHub Provider" --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" --issuer-uri="https://token.actions.githubusercontent.com"


2. create a service account and associated this provider to the service account

gcloud iam service-accounts create github-sa --project="your-project-id" --display-name="GitHub Actions Service Account"

gcloud iam service-accounts add-iam-policy-binding github-sa@your-project-id.iam.gserviceaccount.com --project="your-project-id" --role="roles/iam.workloadIdentityUser" --member="principalSet://iam.googleapis.com/projects/your-project-number/locations/global/workloadIdentityPools/github-pool/*"

4. grant access permission to the service account

Technically this what you should be doing next. But you don't have an idea what the principal would look like. What i mean by principal here? After you get authenticated, you get a principal with github repo owner name that looks like this. But it is hard to figure this out sometimes, but hopefully this provide you with a better idea of what it might look like after you authenticated with github actions

What does the authenticated service principal account looks like?

principal://iam.googleapis.com/projects/PROJECT-NUMBER/locations/global/workloadIdentityPools/github-pool/subject/repo:kepungnzai/gcloud-pipeline:ref:refs/heads/main

So you might need to go setup github action pipelines first. So go to step 5 first and run the pipeline

5. create a pipeline in github and access gcp resources

# This is a basic workflow to help you get started with Actions

name: CI

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  build:
    # Allow the job to fetch a GitHub ID token
    permissions:
      id-token: write
      contents: read

    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
     
      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v3'
        with:
          create_credentials_file: true
          project_id: 'secondary-471605'
          workload_identity_provider: 'projects/your-project-number/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
     
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v2
     
      - name: Run gcloud auth list
        run: gcloud auth list
# assign permission
      - name: Run gcloud list bucket
        run: gcloud storage ls gs://your-bucket/


When you run the pipeline, you will see output from gcloud auth list here


Then you have copy and paste the service principal here and to go back to your cloud storage. Under permission, grant access to this principal shown in the diagram. 

Re-run your pipeline, then you should be able to get it to pass. 














Comments

Post a Comment

Popular posts from this blog

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more