Replies: 3 comments
-
did anyone ever figure out how to do this? it seems like the ruby google auth library supports WIF now: googleapis/google-auth-library-ruby#418., but its not clear to me if fastlane will support the credentials obtained via WIF in a previous action step |
Beta Was this translation helpful? Give feedback.
-
Any news? This seems to be the most secure way to handle beta pushes to Firebase App Distribution. |
Beta Was this translation helpful? Give feedback.
-
the - id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
create_credentials_file: true
project_id: 'REDACTED'
service_account: 'REDACTED@REDACTED.iam.gserviceaccount.com'
workload_identity_provider: 'projects/REDACTED/locations/global/workloadIdentityPools/REDACTED/providers/REDACTED'
# setup, build an app, etc.
# ...
- name: Deploy to Firebase App Distribution
run: |
bundle exec fastlane ...
|
Beta Was this translation helpful? Give feedback.
-
For security reasons, we don't want to create service account keys. We have an organization-level policy set in Google Cloud to prevent service account key creation and instead use instance credentials and Workload Identity Federation exclusively.
We want to have our beta push workflow use credentials obtained using https://github.com/google-github-actions/auth but run into
missing client_email
error.Our Github Actions step to obtain credentials looks like:
Important: These kinds of credentials work perfectly for interacting with Google Cloud using
gcloud
, the Google Cloud SDK for Go, and many other tools. Fastlane is an outlier for not working with them.Note: It appears that the
googleauth
library already has support for working with an externally-obtained oauth2 token, so this shouldn't require changes outside of fastlane: googleapis/google-auth-library-ruby#346The full error we encounter
Beta Was this translation helpful? Give feedback.
All reactions