Securely authenticate to Google Cloud from GitHub

Accessing Google Cloud with a Service Account

  1. Create a Service Account
  2. Download a JSON credentials file that references it
  3. Store this file in a somehow secure way
  • YOLO: Store the file along the repo, it’s a private repository anyway.
  • Hack the library: The Google Analytics Python library offers a function to pass the file’s content itself. You can store the content in an environment variable; thus, keep the data in a GitHub secret.
    But I didn’t find anything similar in the Google BigQuery library. If any Google developer reads this, please note that it’s not a good developer experience. In the same language stack, I’d expect all libraries to be consistent regarding cross-cutting concerns, i.e., authentication.
    The solution would have been to hack the library to offer the same functionality as the Analytics one.

Authenticate to Google Cloud

  1. The GitHub repo gets a short-lived token from Google Cloud.
  2. Workflows on the same repo can call secured APIs on Google Cloud via Google libraries because the latter knows about the token.
runs-on: ubuntu-latest
contents: 'read'
id-token: 'write'
- uses: actions/checkout@v3 # 1
- uses: actions/setup-python@v3 # 2
python-version: 3.9.10
- uses: 'google-github-actions/auth@v0' # 3
service_account: '${SERVICE_ACCOUNT_EMAIL}'
workload_identity_provider: 'projects/${PROJECT_ID}/locations/global/workloadIdentityPools/${WI_POOL_NAME}/providers/${WI_PROVIDER_NAME}'
- run: 'python' # 4
  1. Checkout the repo
  2. Set up the Python environment
  3. Authenticate to get the token. The Action writes the token in a Google-specific location, scratched along the work environment when the workflow finishes.
  4. Enjoy your automatically-authenticated calls!




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nicolas Fränkel

Nicolas Fränkel


Dev Advocate for Apache APISIX. Former developer and architect. Still teaching, learning and blogging.