Workload Identity Federation - Instructions for PAD Users

Modified on Tue, 21 Apr at 1:47 PM

Workload Identity Federation

Workload Identity Federation is an easy way for you to grant access to your Google Cloud resources to applications and services running outside Google Cloud. It removes the need for creating, maintaining, and securing service account keys, which can present security risks.


Note: PAD users must be either Administrators or Engineers. 


  1. Navigate to the Workload Identity Federation dashboard. You can also use the search bar at the top of the page or by opening the hamburger menu in the upper right and going to the IAM & Admin tab, and then finding Workload Identity Federation in the menu that appears.

  2. If you don’t have any existing pools in your project, click the Get Started button.

  1. Fill out the details for your pool.

    1. Name - use a clear and concise name that is immediately identifiable for its use case and distinguishable from other potential pools. Example: prod-github-cta-001 

    2. Choose what type of provider you want to use the pool for and fill out the details. Below is an example of what a pool set up for Github might look like.

      1. Provider: OpendID Connect (OIDC)

      2. Name: github-engineering-001

      3. Issuer (URL): https://token.actions.githubusercontent.com 

      4. Audiences: Default audience

      5. Provider Attributes:

        1. Google 1: google.subject->assertion.sub

        2. Google 2: attribute.actor->assertion.actor

        3. Google 3attribute.aud->assertion.aud

      6. Attribute conditions:

        1. You can use this to restrict access to this pool based on the origin. To restrict it to only repositories from your Github organization for example, you’d do something like: assertion.repository_owner=='<Your Github Organization ID>'

  2. Once finished filling out all the details of your pool and provider, click Save at the bottom. The pool and provider should start creating and finish shortly.

  3. After creation is finished, you should be able to go into the pool details and see the providers attached, along with a ✅ in the Status column.

  1. Now you’re ready to start using Workload Identity Federation! Instructions will vary depending on your use case and where you’re using it from, but for Github Actions, it can be as simple as adding a single block to your workflow YAML!

- uses: 'google-github-actions/auth@v3'

  with:

    project_id: 'my-project'

    workload_identity_provider: '...'
  1. The workfload_identity_provider value here is in the format: projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/providers/<PROVIDER_ID>. Note that it’s asking for project number, not project ID. To find the project number, you can go to the Google Cloud welcome page and it’ll be displayed there.

  1. Alternatively, you can execute this command through the CLI:


gcloud projects describe PROJECT_ID --format="value(projectNumber)"
  1. Generally with Workload Identity Federation, you want to authenticate directly (which is what is shown above) but you can also authenticate through a service account if needed. You can find instructions for how to do so through the documentation links down below.

Helpful Resources and Documentation

Additional Permissions Given to Relevant PAD User Groups

iam.workloadIdentityPools.create

iam.workloadIdentityPools.createPolicyBinding

iam.workloadIdentityPools.delete

iam.workloadIdentityPools.deletePolicyBinding

iam.workloadIdentityPools.get

iam.workloadIdentityPools.list

iam.workloadIdentityPools.searchPolicyBindings

iam.workloadIdentityPools.undelete

iam.workloadIdentityPools.update

iam.workloadIdentityPools.updatePolicyBindings

iam.workloadIdentityPoolProviders.create

iam.workloadIdentityPoolProviders.delete

iam.workloadIdentityPoolProviders.get

iam.workloadIdentityPoolProviders.list

iam.workloadIdentityPoolProviders.undelete

iam.workloadIdentityPoolProviders.update



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article