-
Set the GCP project ID as an environment variable.
export PROJECT_ID={google project id} -
Create a service account for the pipeline.
gcloud auth login gcloud config set project ${PROJECT_ID} gcloud auth application-default login gcloud services enable \ iamcredentials.googleapis.com \ run.googleapis.com \ cloudbuild.googleapis.com \ artifactregistry.googleapis.com \ --project "${PROJECT_ID}" gcloud iam service-accounts create github-service-account --project "${PROJECT_ID}"
-
Create a workload identity pool.
gcloud iam workload-identity-pools create github-pool \ --project="${PROJECT_ID}" \ --location="global" \ --display-name=github-pool gcloud iam workload-identity-pools describe github-pool \ --project="${PROJECT_ID}" \ --location="global" \ --format="value(name)"
-
Set the workload identity pool ID from the output of the last command.
export WORKLOAD_IDENTITY_POOL_ID={from previous command output}
-
Create a workload identity pool provider.
gcloud iam workload-identity-pools providers create-oidc github-provider \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool=github-pool \ --display-name=github-provider \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \ --issuer-uri="https://token.actions.githubusercontent.com" gcloud iam service-accounts add-iam-policy-binding "github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --project="${PROJECT_ID}" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/initialcapacity/streaming-html" gcloud iam workload-identity-pools providers describe github-provider \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool=github-pool \ --format="value(name)"
-
Give api permissions to the service account.
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/artifactregistry.admin" gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/run.admin" gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/viewer" gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser" gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/cloudbuild.builds.viewer" gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/cloudbuild.builds.builder" gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:github-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
Repository variables for pipeline
GCP_PROJECT_ID=${PROJECT_ID}
GCP_WORKLOAD_IDENTITY_POOL_ID=${WORKLOAD_IDENTITY_POOL_ID}
GCP_SERVICE_ACCOUNT=github-service-account@${PROJECT_ID}.iam.gserviceaccount.com