What does the id-token
mean in the example below and what is the use?
jobs:
job_id:
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: '[email protected]'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: 'Use gcloud CLI'
run: 'gcloud info'
The example is from setup-gcloud
I try to have a look of doc1 and doc2. However, I cannot find any useful information.
May you give me some hints/advice?
CodePudding user response:
The id-token
is used in combination with OpenID Connect.
Setting the permissions to write
is required in order to request an OpenID Connect JWT Token as described in the docs.
While the example you shared is from setup-gcloud, the part in your workflow that actually needs this, is the action google-github-actions/auth. In there, you want to look at the sections on "Workload Identity Federation". More docs are also available on GCP directly: https://cloud.google.com/iam/docs/workload-identity-federation