feat: add WIF docs, add warning for credentials input (#127)

google-github-actions · Nov 15, 2021 · a9e64a3 · a9e64a3
1 parent 0974f76
commit a9e64a3
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 25 deletions.
diff --git a/.github/workflows/get-secretmanager-secrets-it.yml b/.github/workflows/get-secretmanager-secrets-it.yml
@@ -6,6 +6,10 @@ on:
     - 'main'
   pull_request:
 
+concurrency:
+  group: '${{ github.head_ref || github.ref }}-it'
+  cancel-in-progress: true
+
 jobs:
   gcloud:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
@@ -75,3 +79,31 @@ jobs:
           password:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
     - name: get output
       run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
+
+  wif:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
+    name: with wif
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: google-github-actions/auth@main
+      with:
+        workload_identity_provider: ${{ secrets.WIF_PROVIDER_NAME }}
+        service_account: ${{ secrets.GET_SECRETMANAGER_SECRETS_SA_EMAIL }}
+    - id: build
+      name: Build dist
+      run: |-
+        npm install
+        npm run build
+    - id: secrets
+      name: get secrets
+      uses: ./
+      with:
+        secrets: |-
+          token:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_REF }}
+          password:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
+    - name: get output
+      run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
diff --git a/.github/workflows/get-secretmanager-secrets.yml b/.github/workflows/get-secretmanager-secrets.yml
@@ -2,6 +2,10 @@ name: get-secretmanager-secrets Unit
 
 on: [push, pull_request]
 
+concurrency:
+  group: '${{ github.head_ref || github.ref }}-unit'
+  cancel-in-progress: true
+
 jobs:
   run:
     name: test

diff --git a/README.md b/README.md
@@ -38,8 +38,13 @@ later steps.
 
 ```yaml
 steps:
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
 - id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@main
+  uses: google-github-actions/get-secretmanager-secrets@v0.2.2
   with:
     secrets: |-
       token:my-project/docker-registry-token
@@ -82,10 +87,9 @@ steps:
     <project-id>/<secret-id>
     ```
 
--   `credentials`: (Optional) [Google Service Account JSON][sa] credentials,
-    typically sourced from a [GitHub Secret][gh-secret]. If unspecified, other
-    authentication methods are attempted.
-
+- `credentials`: (**Deprecated**) This input is deprecated. See [auth section](https://github.com/google-github-actions/get-secretmanager-secrets#via-google-github-actionsauth) for more details.
+  [Google Service Account JSON][sa] credentials,
+  typically sourced from a [GitHub Secret][gh-secret].
 
 ## Outputs
 
@@ -118,37 +122,42 @@ will be available in future steps as the output "token":
 There are a few ways to authenticate this action. The caller must have
 permissions to access the secrets being requested.
 
-### Via the setup-gcloud action
+### Via google-github-actions/auth
+
+Use [google-github-actions/auth](https://github.com/google-github-actions/auth) to authenticate the action. You can use [Workload Identity Federation][wif] or traditional [Service Account Key JSON][sa] authentication.
+by specifying the `credentials` input. This Action supports both the recommended [Workload Identity Federation][wif] based authentication and the traditional [Service Account Key JSON][sa] based auth.
 
-You can provide credentials using the [setup-gcloud][setup-gcloud] action:
+See [usage](https://github.com/google-github-actions/auth#usage) for more details.
+
+#### Authenticating via Workload Identity Federation
 
 ```yaml
-- uses: google-github-actions/setup-gcloud@master
+- uses: actions/checkout@v2
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+    service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
+- id: secrets
+  uses: google-github-actions/get-secretmanager-secrets@v0.2.2
   with:
-    project_id: ${{ env.PROJECT_ID}}
-    service_account_key: ${{ secrets.GCP_SA_KEY }}
-    export_default_credentials: true
-- uses: google-github-actions/get-secretmanager-secrets@main
+    secrets: |-
+      token:my-project/docker-registry-token
 ```
 
-The advantage of this approach is that it authenticates all future actions. A
-disadvantage of this approach is that downloading and installing gcloud may be
-heavy for some use cases.
-
-### Via credentials
-
-You can provide [Google Cloud Service Account JSON][sa] directly to the action
-by specifying the `credentials` input. First, create a [GitHub
-Secret][gh-secret] that contains the JSON content, then import it into the
-action:
+#### Authenticating via Service Account Key JSON
 
 ```yaml
+- uses: actions/checkout@v2
+- id: auth
+  uses: google-github-actions/auth@v0.4.0
+  with:
+    credentials_json: ${{ secrets.gcp_credentials }}
 - id: secrets
-  uses: google-github-actions/get-secretmanager-secrets@main
+  uses: google-github-actions/get-secretmanager-secrets@v0.2.2
   with:
-    credentials: ${{ secrets.gcp_credentials }}
     secrets: |-
-      # ...
+      token:my-project/docker-registry-token
 ```
 
 ### Via Application Default Credentials
@@ -168,6 +177,7 @@ Credentials.
 
 
 [sm]: https://cloud.google.com/secret-manager
+[wif]: https://cloud.google.com/iam/docs/workload-identity-federation
 [sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts
 [gh-runners]: https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
 [gh-secret]: https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets

diff --git a/src/main.ts b/src/main.ts
@@ -48,6 +48,15 @@ async function run(): Promise<void> {
     // Get credentials, if any.
     const credentials = core.getInput('credentials');
 
+    // Add warning if using credentials
+    if (credentials) {
+      core.warning(
+        '"credentials" input has been deprecated. ' +
+          'Please switch to using google-github-actions/auth which supports both Workload Identity Federation and JSON Key authentication. ' +
+          'For more details, see https://github.com/google-github-actions/get-secretmanager-secrets#authorization',
+      );
+    }
+
     // Create an API client.
     const client = new Client({
       credentials: credentials,