05 3 How to Connect GitHub Actions to Google Cloud Without KeysWIF
• What Workload Identity Federation (WIF) is
• Why service account keys are insecure
• How GitHub OIDC authentication works
• Creating a Workload Identity Pool and Provider in GCP
• Configuring attribute mapping and attribute conditions
• Granting IAM permissions using principalSet
• Allowing only a specific GitHub repository to access GCP
• Configuring GitHub Actions workflow for authentication
• Testing secure authentication from GitHub to GCP
Explain About "subject" & "audience"
#explain subject=subject is caller, who is calling. Eg; if u use github,
caller is git hub account repository,
if u use google, in this lab, caller is default sa which is attaching to
created wif-vm.
#VM (gcp)
issuer url = "https://accounts.google.com"
aud = {CLIENT_ID}.apps.googleusercontent.com
sub = 13332787600104397101 (sa id)
#GitHub Actions
issuer url = https://token.actions.githubuserconte...
aud = projects/259655456214/locations/global/workloadIdentityPools/github-actions-pool-v5/providers/github-actions
sub = ssertion.repository == "AungLinThant/oidc-github"
SUMMARY NOTE:
subject = caller
audience = receiver