How to configure workload identity federation in GCP and GitHub

Workload-identity-federation.md

workload-identity-federation

We have two buckets:

• dev-storage-2023
• prd-storage-2023

export PROJECT_ID="blue-project-378421"
export PROJECT_NUMBER="32549352397"
export DEV_BUCKET="dev-storage-2023"
export PRD_BUCKET="prd-storage-2023"

gcloud storage buckets create gs://$DEV_BUCKET --project=$PROJECT_ID --default-storage-class=STANDARD --location=EUROPE-WEST1 --uniform-bucket-level-access

gcloud storage buckets create gs://$PRD_BUCKET --project=$PROJECT_ID --default-storage-class=STANDARD --location=EUROPE-WEST1 --uniform-bucket-level-access

gcloud iam workload-identity-pools create github \
    --project=$PROJECT_ID \
    --location="global" \
    --description="GitHub pool" \
    --display-name="GitHub pool"

gcloud iam workload-identity-pools providers create-oidc "github" \
  --project="${PROJECT_ID}" \
  --location="global" \
  --workload-identity-pool="github" \
  --display-name="GitHub provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.workflow_ref=assertion.job_workflow_ref,attribute.event_name=assertion.event_name" \
  --issuer-uri="https://token.actions.githubusercontent.com"

gcloud iam service-accounts create bucket-dev \
    --project=$PROJECT_ID \
    --description="SA with access to the DEV Bucket" \
    --display-name="Bucket Reader DEV"

gcloud iam service-accounts create bucket-prd \
    --project=$PROJECT_ID \
    --description="SA with access to the PRD Bucket" \
    --display-name="Bucket Reader PRD"

gcloud storage buckets add-iam-policy-binding gs://${DEV_BUCKET} \
  --member=serviceAccount:bucket-dev@${PROJECT_ID}.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

gcloud storage buckets add-iam-policy-binding gs://${PRD_BUCKET} \
  --member=serviceAccount:bucket-prd@${PROJECT_ID}.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

gcloud iam service-accounts add-iam-policy-binding "bucket-dev@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github/attribute.event_name/pull_request"


gcloud iam service-accounts add-iam-policy-binding "bucket-prd@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github/attribute.workflow_ref/outofdevops/workload-identity-federation/.github/workflows/multi-id.yaml@refs/heads/main"