Ili kutoa ufikiaji kwa Github Actions kutoka kwa repo ya Github kwa akaunti ya huduma ya GCP hatua zifuatazo zinahitajika:
Unda Akaunti ya Huduma ili kufikia kutoka kwa github actions na idhini zinazohitajika:
projectId=FIXMEgcloudconfigsetproject $projectId# Create the Service Accountgcloudiamservice-accountscreate"github-demo-sa"saId="github-demo-sa@${projectId}.iam.gserviceaccount.com"# Enable the IAM Credentials APIgcloudservicesenableiamcredentials.googleapis.com# Give permissions to SAgcloudprojectsadd-iam-policy-binding $projectId \--member="serviceAccount:$saId" \--role="roles/iam.securityReviewer"
Tengeneza maktaba mpya ya utambulisho wa kazi:
# Create a Workload Identity PoolpoolName=wi-poolgcloudiamworkload-identity-poolscreate $poolName \--location global \--display-name $poolNamepoolId=$(gcloudiamworkload-identity-poolsdescribe $poolName \--location global \--format='get(name)')
Tengeneza mtoa OIDC wa mwelekeo wa kazi mpya ambaye anatumaini github actions (kwa jina la org/repo katika hali hii):
attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)
gcloudiamworkload-identity-poolsproviderscreate-oidc $poolName \--location global \--workload-identity-pool $poolName \--display-name $poolName \--attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri "https://token.actions.githubusercontent.com"providerId=$(gcloudiamworkload-identity-poolsprovidersdescribe $poolName \--location global \--workload-identity-pool $poolName \--format='get(name)')
Hatimaye, ruhusu kiongozi kutoka kwa mtoa huduma kutumia kiongozi wa huduma:
Kumbuka jinsi katika mwanachama wa awali tunavyobainisha org-name/repo-name kama masharti ya kuweza kufikia akaunti ya huduma (paramu nyingine zinazofanya iwe zaidi ya ukali kama tawi pia zinaweza kutumika).
Hata hivyo, inawezekana pia kuruhusu github yote kufikia akaunti ya huduma kwa kuunda mtoa huduma kama ifuatavyo kwa kutumia wildcard:
# Create a Workload Identity PoolpoolName=wi-pool2gcloudiamworkload-identity-poolscreate $poolName \--location global \--display-name $poolNamepoolId=$(gcloudiamworkload-identity-poolsdescribe $poolName \--location global \--format='get(name)')gcloudiamworkload-identity-poolsproviderscreate-oidc $poolName \--project="${projectId}" \--location="global" \--workload-identity-pool="$poolName" \--display-name="Demo provider" \--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \--issuer-uri="https://token.actions.githubusercontent.com"providerId=$(gcloudiamworkload-identity-poolsprovidersdescribe $poolName \--location global \--workload-identity-pool $poolName \--format='get(name)')# CHECK THE WILDCARDgcloudiamservice-accountsadd-iam-policy-binding"${saId}" \--project="${projectId}" \--role="roles/iam.workloadIdentityUser" \--member="principalSet://iam.googleapis.com/${poolId}/*"
Katika kesi hii mtu yeyote anaweza kufikia akaunti ya huduma kutoka github actions, hivyo ni muhimu kila wakati kuangalia jinsi mwanachama anavyofafanuliwa.
Inapaswa kuwa kila wakati kitu kama hiki:
Kumbuka kubadilisha ${providerId} na ${saId} kwa thamani zao husika:
name:Check GCP actionon:workflow_dispatch:pull_request:branches:- mainpermissions:id-token:writejobs:Get_OIDC_ID_token:runs-on:ubuntu-lateststeps:- id:'auth'name:'Authenticate to GCP'uses:'google-github-actions/auth@v2.1.3'with:create_credentials_file:'true'workload_identity_provider: '${providerId}' # In the providerId, the numerical project ID (12 digit number) should be used
service_account:'${saId}'# instead of the alphanumeric project ID. ex:activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
- id:'gcloud'name:'gcloud'run:|-gcloud config set project <project-id>gcloud config set account '${saId}'gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"gcloud auth listgcloud projects listgcloud secrets list