github gcp workload pool identity federation

To allow passwordless authentication to gcp from github, we need to setup workload identity pool. To do that we can use the following command



gcloud iam workload-identity-pools create "github-pool" \
    --location="global" \
    --display-name="GitHub Actions Pool"

And then setup integration to your repo 



gcloud iam workload-identity-pools providers create-oidc "kepungnzai" \
    --location="global" \
    --workload-identity-pool="github-pool" \
    --display-name="GitHub Actions Provider" \
    --issuer-uri="https://token.actions.githubusercontent.com" \
    --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.actor=assertion.actor" \
    --attribute-condition="attribute.repository == 'kepungnzai/agentic-a2a-weather-currency'"

And all you need is yaml to deploy. Please replace the variables in the yaml. Project-ID is not the same as project number.  GCP_SERVICE_ACCOUNT should be the service account + email.  

WIF_POOL_ID should be github-pool

CICD_PROJECT_ID is should be your gcp "project-xxxxxx". 

WIF_PROVIDER_ID should be "kepungnzai" 

name: Deploy to Staging

on:
  push:
    branches:
      - main
    paths:
      - 'app/**'
      - 'data_ingestion/**'
      - 'tests/**'
      - 'deployment/**'
      - 'uv.lock'

jobs:
  deploy_and_test_staging:
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python 3.12
        uses: actions/setup-python@v4
        with:
          python-version: '3.12'

      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v2'
        with:
          workload_identity_provider: 'projects/${{ vars.GCP_PROJECT_NUMBER }}/
locations/global/workloadIdentityPools/${{ secrets.WIF_POOL_ID }}/
providers/${{ secrets.WIF_PROVIDER_ID }}'
          service_account: '${{ secrets.GCP_SERVICE_ACCOUNT }}'
          create_credentials_file: true
          project_id: ${{ vars.CICD_PROJECT_ID }}




Comments

Post a Comment

Popular posts from this blog

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

android studio kotlin source is null error

Image
This org.jetbrains.kotlin.util.FileAnalysisException with a java.lang.IllegalArgumentException: source must not be null is a known issue that can sometimes occur with the Kotlin compiler. It seems to be related to how the compiler analyzes certain source code structures. When this happens, you need to go clean your project and do another rebuild.  For my case, I was trying to test out the databinding = true feature. 
Read more