This action gets an OpenID Connect (OIDC) token and makes it available as an output variable. The token can then be used to authenticate a service account to an Identity Aware Proxy secured resource.
- Python 2.7.9 or later installed on the environment.
- A pre-configured GCP service account.
actions/checkout@v2
if usingsetup-gcloud
withexport_default_credentials
.
Required. The client ID for the IAP OAuth client.
Optional. The service account key to use for authentication. This key should be either in JSON format or as a Base64 string (eg. cat my-key.json | base64
on macOS). It should be stored as a GitHub secret. It can be ommited if using setup-gcloud
with export_default_credentials
.
A string with the OIDC token. The token can then be included as a Bearer authentication
header to authenticate the service account to an IAP-secured resource.
Providing credentials in JSON format:
steps:
- uses: actions/checkout@v2
- id: iap-token
name: get IAP token
uses: ./get-iap-token
with:
credentials: ${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}
iap-oauth-client-id: ${{ secrets.IAP_OAUTH_CLIENT_ID }}
- name: get output
run: echo '${{ steps.iap-token.outputs.token }}'
Providing credentials as a Base64 string (eg. cat my-key.json | base64
on macOS):
steps:
- uses: actions/checkout@v2
- id: iap-token
name: get IAP token
uses: ./get-iap-token
with:
credentials: ${{ secrets.SERVICE_ACCOUNT_KEY_B64 }}
iap-oauth-client-id: ${{ secrets.IAP_OAUTH_CLIENT_ID }}
- name: get output
run: echo '${{ steps.iap-token.outputs.token }}'
Using the setup-gcloud
action with export_default_credentials
:
steps:
- uses: actions/checkout@v2
- uses: ./setup-gcloud
with:
service_account_key: ${{ secrets.SERVICE_ACCOUNT_KEY_B64 }}
export_default_credentials: true
- id: iap-token
name: get IAP token
uses: ./get-iap-token
with:
iap-oauth-client-id: ${{ secrets.IAP_OAUTH_CLIENT_ID }}
- name: get output
run: echo '${{ steps.iap-token.outputs.token }}'