{"id":165740,"date":"2026-04-11T09:52:35","date_gmt":"2026-04-11T06:52:35","guid":{"rendered":"https:\/\/computingforgeeks.com\/gcp-workload-identity-federation-github-actions\/"},"modified":"2026-04-11T09:52:35","modified_gmt":"2026-04-11T06:52:35","slug":"gcp-workload-identity-federation-github-actions","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/gcp-workload-identity-federation-github-actions\/","title":{"rendered":"Set Up GCP Workload Identity Federation for GitHub Actions (2026)"},"content":{"rendered":"\n

A GitHub Actions workflow that deploys to GCP needs some way to authenticate. For years the answer was a JSON service account key stored as a GitHub repository secret. Everyone knew it was the wrong answer, everyone used it anyway, and the industry produced an endless supply of blog posts about accidentally leaked keys. Workload Identity Federation is the fix. Instead of a static key, GitHub’s runner exchanges its built-in OIDC token for a short-lived GCP access token through a trust relationship you configure once. The key file goes away. The rotation problem goes away. The “we left a demo secret in a public repo” incident goes away. This guide walks through the exact setup on a real project, the IAM policy binding that actually scopes access to one repository, the GitHub workflow YAML that authenticates and then pushes to Artifact Registry, and the four errors you will hit on the first attempt.<\/p>\n\n\n\n

This is the external Workload Identity Federation product, not to be confused with Workload Identity Federation for GKE<\/a>. They share the underlying Security Token Service but they are configured differently: GKE’s pool is managed automatically for Kubernetes ServiceAccounts, while the external WIF product is what you use for GitHub Actions, AWS EC2 instances, Azure VMs, on-prem OIDC workloads, and anything else that lives outside a GKE cluster. This guide is the external WIF version specifically for GitHub Actions.<\/p>\n\n\n\n

Tested April 2026 on GCP with google-cloud-cli 521, GitHub Actions runner ubuntu-24.04, and the google-github-actions\/auth v3 action<\/em><\/p>\n\n\n\n

Why Workload Identity Federation Matters<\/h2>\n\n\n\n

The old way was a JSON service account key, base64-encoded, stashed in a GitHub secret, pulled into the runner, written to a file, and passed to gcloud auth activate-service-account<\/code>. Every step in that chain is a place where the key can leak. The workflow author can accidentally print it in a log. A malicious action can read the file. A forked PR workflow can exfiltrate it. The key itself lives forever unless somebody rotates it manually, and nobody rotates it manually.<\/p>\n\n\n\n

Workload Identity Federation flips the model. GitHub already issues a signed OIDC token to every running job ($ACTIONS_ID_TOKEN_REQUEST_URL<\/code> and $ACTIONS_ID_TOKEN_REQUEST_TOKEN<\/code>). That token is short-lived, tied to the specific job run, and contains claims about which repository, branch, environment, and actor triggered it. WIF configures GCP’s Security Token Service to accept that token as proof of identity, exchange it for a federated Google token, and optionally chain-impersonate a regular service account. The resulting access token expires after an hour. No key file ever touches the runner. If an attacker somehow leaks the access token, the blast radius is one hour on the specific resources that one service account was granted.<\/p>\n\n\n\n

Google officially deprecated service account key files for CI\/CD in 2023 and the organization policy that blocks new key creation is the default in new organizations. If you are still using JSON keys for GitHub Actions in 2026, you are on borrowed time. Migrate before the next org-policy refresh forces the issue.<\/p>\n\n\n\n

The Mental Model: Four Pieces That Click Together<\/h2>\n\n\n\n

WIF has four configuration objects and understanding how they chain together is the hard part. Once the model clicks, the commands are mechanical.<\/p>\n\n\n\n

    \n
  1. Workload Identity Pool<\/strong>. A container for external identities inside a GCP project. You create one pool per external identity provider family (one for GitHub, one for GitLab, one for AWS, and so on). The pool is where IAM bindings are anchored.<\/li>\n
  2. Workload Identity Pool Provider<\/strong>. An OIDC (or SAML or AWS) configuration attached to the pool. For GitHub Actions this is an OIDC provider pointing at https:\/\/token.actions.githubusercontent.com<\/code>. The provider defines which claims from the incoming token get mapped to GCP attributes (repo name, actor, branch, etc.) and an optional attribute condition that filters which incoming tokens are even considered.<\/li>\n
  3. Principal<\/strong>. A reference to an external identity that GCP IAM can grant roles to. For GitHub Actions the principal is usually a principalSet:\/\/<\/code> URL that matches every token from a specific repository, or a principal:\/\/<\/code> URL that matches one specific token (subject claim).<\/li>\n
  4. Google Service Account<\/strong> (optional chain-impersonation). Two patterns are supported. Direct resource access binds the GitHub principal directly to an IAM role on a GCP resource. Chain-impersonation binds the GitHub principal to roles\/iam.workloadIdentityUser<\/code> on a normal Google Service Account, and then the workflow impersonates that GSA to get an access token. Both work. Direct is newer and simpler, impersonation is the default in most tutorials because it works with every API.<\/li>\n<\/ol>\n\n\n\n

    The chain reads: GitHub job produces OIDC token \u2192 provider validates the token and maps claims to attributes \u2192 IAM policy on the target (either the service account or the resource directly) matches the principal \u2192 GCP issues a short-lived access token.<\/p>\n\n\n\n

    Prerequisites<\/h2>\n\n\n\n