Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authenticate with workload federation credential file instead of service account key

See original GitHub issue

The use case you’re trying to solve

I would like to use a federated credential file from the auth action to configure the firebase deploy

Change to the action that would solve that use case

- id: auth
   name: Authenticate to Google Cloud
   uses: google-github-actions/auth@v0.3.1
   with:
       create_credentials_file: true
       workload_identity_provider: ...
       service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}

  - name: 🚀 Firebase Deploy
        uses: FirebaseExtended/action-hosting-deploy@v0
        with:
          repoToken: '${{ secrets.GITHUB_TOKEN }}'
          credentials_file_path: ${{ steps.auth.output.credentials_file_path }}
          projectId: '${{ secrets.PROJECT_ID }}'
          channelId: live
        env:
          FIREBASE_CLI_PREVIEWS: hostingchannels

Issue Analytics

State:
Created 2 years ago
Reactions:6
Comments:15

Top GitHub Comments

3reactions

zakariazuckcommented, Mar 21, 2022

Hi!

I was stuck in this problem. IDK if this concerns you: ⛔ Issue : I manually created the firebaseServiceAccount token using $ firebase login:ci and save it in github actions secrets and it didn’t work. ✅ Solution : I ran $ firebase init hosting:github and in one of the steps it did automatically upload a new token to github actions secrets. And now it’s working fine.

Cheers

2reactions

rasendubicommented, Nov 11, 2022

You can use the following snippet to use google-github-actions/auth-generated credential file with action-hosting-deploy:

- id: auth
  uses: 'google-github-actions/auth@v1'
  with:
    workload_identity_provider: ...
    service_account: ...
    create_credentials_file: true

- run: |
    echo "SERVICE_ACCOUNT_KEY=$(cat "${{ steps.auth.outputs.credentials_file_path }}" | tr -d '\n')" >> $GITHUB_ENV

- uses: FirebaseExtended/action-hosting-deploy@v0
  with:
    firebaseServiceAccount: "${{ env.SERVICE_ACCOUNT_KEY }}"

Top Results From Across the Web

Enable keyless access to GCP with workload Identity Federation

With workload Identity federation, you can securely operate your workloads and no longer have to worry about managing service account keys.

Authenticate to Google Cloud · Actions · GitHub Marketplace

Workload Identity Federation is recommended over Service Account Keys as it obviates the need to export a long-lived credential and establishes a trust ......

Keyless authentication to Google Cloud Platform using ...

Workload Identity Federation enables applications running outside the Google Cloud to replace long lived Service account keys with temporary ...

Workload Identity Federation with Google Cloud - Datatonic

It does not need an external key since, due to Workload Identity Federation, we won't be using external authentication to activate it. You...

Use gcloud with credentials from identity federation with OIDC ...

However, it's not clear how to authenticate the gcloud SDK itself. Normally, using a service account key, one would run gcloud auth activate-service-account...