Overview

At a high level, we’re setting up a secure connection between your GitHub repository and Google Cloud using OIDC (OpenID Connect). This allows GitHub Actions workflows — whether running on GitHub-hosted, self-hosted, or Blacksmith runners to impersonate a Google Cloud service account without needing to store any keys. We do this by creating a Workload Identity Pool and an OIDC provider in GCP that trusts GitHub, then linking your GitHub repo to a specific service account using IAM permissions. Once this is set up, your jobs can authenticate to GCP with a single step, and everything else (like accessing Secret Manager or pushing to Artifact Registry) works as if the job is running inside GCP.

GCP-related Setup

Step 1: Environment Variables

Parameter	Description
`PROJECT_ID`	Your GCP project ID
`PROJECT_NUMBER`	Your GCP project number
`SERVICE_ACCOUNT_NAME`	The name of the GCP service account to impersonate (e.g. `github-ci-access`)
`GITHUB_OWNER`	apolloio
`GITHUB_REPO`	leadgenie

Export them into your env

Step 2: Enable required APIs

I’m assuming you’re only using GCR and GCS

gcloud services enable iamcredentials.googleapis.com \\
    iam.googleapis.com \\
    artifactregistry.googleapis.com \\
    secretmanager.googleapis.com \\
    --project=$PROJECT_ID

Step 3: Create the Workload Identity Pool and OIDC Provider

We’re calling the identity pool github-pool and referencing this everywhere.

gcloud iam workload-identity-pools create github-pool \\
  --project=$PROJECT_ID \\
  --location=global \\
  --display-name="GitHub Pool"
  
 gcloud iam workload-identity-pools providers create-oidc github-provider \\
  --project="$PROJECT_ID" \\
  --location="global" \\
  --workload-identity-pool="github-pool" \\
  --display-name="GitHub OIDC Provider" \\
  --issuer-uri="<https://token.actions.githubusercontent.com>" \\
  --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository" \\
  --attribute-condition="attribute.repository == '${GITHUB_OWNER}/${GITHUB_REPO}'"

Step 4: Configure your SA

You mentioned that you already have an SA attached to your pods with access to GCR and GSM. Grant your GitHub repo permission to impersonate the SA.

gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \\
  --project=$PROJECT_ID \\
  --role="roles/iam.workloadIdentityUser" \\
  --member="principalSet://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/attribute.repository/$GITHUB_OWNER/$GITHUB_REPO"