GCP Workload Identity Federation Setup for CI/CD
A media-monitoring / data-orchestration platform
Overview
Infrastructure setup scripts that configure Google Cloud Workload Identity Federation so GitHub Actions can deploy to the platform’s GCP projects without long-lived service-account keys.
Why It Exists
Keyless, federated authentication is the secure way to let CI/CD pipelines act against Google Cloud. Standing up the identity pool, provider, and IAM bindings by hand is error-prone, so these scripts codify the process for the platform’s repositories.
What We Built
Shell scripts that create a federated identity pool and GitHub Actions provider, bind them to service accounts with least-privilege IAM, and wire specific repositories (the search service and the Airflow pipeline) to deploy via Workload Identity Federation. The scripts resolve project numbers dynamically and target the relevant GCP projects, providing a repeatable setup for staging.
Technologies & Approach
Bash with set -euo pipefail driving the gcloud CLI to configure IAM Workload Identity pools, OIDC providers, and service-account bindings for GitHub Actions, the keyless authentication pattern for CI/CD on GCP.
Outcome / Impact
Gives the platform’s pipelines secure, key-free deployment access to Google Cloud, removing the risk of leaked service-account credentials.
Capabilities Demonstrated
- Keyless CI/CD via Workload Identity Federation
- Least-privilege IAM automation on GCP
- Reproducible, scripted cloud security setup