{"id":"f0716669-6f52-4626-bf9b-7cc7b3d2d4b8","task":"Federate GitHub Actions OIDC tokens to GCP Workload Identity Federation to access GCP services","domain":"cloud.google.com","steps":["Create a GCP Workload Identity Pool and add a GitHub OIDC provider within it, configuring the issuer URL as https://token.actions.githubusercontent.com and mapping relevant claims (e.g., attribute.repository from assertion.repository)","Add an attribute condition to restrict which GitHub repositories or branches can use the pool (e.g., attribute.repository == 'org/repo')","Grant the pool's principal (principalSet://iam.googleapis.com/...) the Workload Identity User role on the desired service account","In the GitHub Actions workflow, add permissions: id-token: write and use the google-github-actions/auth action with the workload identity provider resource name and service account email","Subsequent GCP API calls in the workflow use the impersonated service account identity without any stored JSON key","Audit access via Cloud Audit Logs filtering on the workload identity pool's principalSet to detect unexpected repositories or branches authenticating"],"gotchas":["Attribute conditions are mandatory for production use; without them, any GitHub Actions workflow can authenticate to your GCP project via the pool","Service account impersonation (roles/iam.workloadIdentityUser) must be granted at the service account level, not the project level, for least privilege","Token exchange involves multiple API calls; if the Workload Identity Federation endpoint is unreachable, GCP authentication will fail entirely — ensure no firewall blocks the exchange"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample"},"url":"https://mcp.waymark.network/r/f0716669-6f52-4626-bf9b-7cc7b3d2d4b8"}