Home > Net >  What is the permission scope of id-token in GitHub Action?
What is the permission scope of id-token in GitHub Action?

Time:05-11

What does the id-token mean in the example below and what is the use?

jobs:
  job_id:
    # Add "id-token" with the intended permissions.
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v0'

    - name: 'Use gcloud CLI'
      run: 'gcloud info'

The example is from setup-gcloud

I try to have a look of doc1 and doc2. However, I cannot find any useful information.

May you give me some hints/advice?

CodePudding user response:

The id-token is used in combination with OpenID Connect.

Setting the permissions to write is required in order to request an OpenID Connect JWT Token as described in the docs.

While the example you shared is from setup-gcloud, the part in your workflow that actually needs this, is the action google-github-actions/auth. In there, you want to look at the sections on "Workload Identity Federation". More docs are also available on GCP directly: https://cloud.google.com/iam/docs/workload-identity-federation

  • Related