Github actions workflow is using Service Account key, when best practices is to authenticate with OIDC (keyless) authentication via workload identity federation #152
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
We should switch to using workload identity federation (keyless OIDC) to authenticate to GCP instead of service accounts with keys.
Here's an example of a workflow:
https://github.com/celo-org/akeyless/blob/main/.github/workflows/container-cicd.yaml
https://github.com/celo-org/celo-oracle/blob/f6b50aa6059bdf726dd25dd7543d8d0599c4d150/.github/workflows/build_push_docker.yml
If you need help setting up workload identity federation please let me know, we have a setup for it already but I'll need some information on which GCP project you're pushing this image to, and the name of the service account it's using. see https://github.com/google-github-actions/auth for more details
Current Behavior
https://github.com/celo-org/celo-oracle/blob/f6b50aa6059bdf726dd25dd7543d8d0599c4d150/.github/workflows/build_push_docker.yml uses a service account key, which is not recommended, and can cause potential security risks.
The text was updated successfully, but these errors were encountered: