Authenticate to Google Cloud with OIDC

yaml

- uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: projects/123456789/locations/global/workloadIdentityPools/pool/providers/provider
    service_account: deployer@example-project.iam.gserviceaccount.com

Explanation

This avoids storing long-lived JSON keys in repository secrets.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commands View fixes

Related commands

Same sheet · prioritizing OIDC and fork safety

Enable OIDC token issuance

Grant `id-token: write` when using cloud federation.

Open In sheetyamlsame section

Configure AWS credentials via OIDC

Use the AWS credentials action without long-lived keys.

Open In sheetyamlsame section

Do not expose secrets to untrusted forks

Avoid unsafe patterns for public repo pull requests.

Open In sheetyamlsame section

Set least-privilege token permissions

Limit the default GITHUB_TOKEN scope.

Open In sheetyaml

Grant write access only where needed

Elevate token permissions on a specific job.

Open In sheetyaml

Expose a secret as an environment variable

Use the `secrets` context in step env.

Open In sheetyaml