Skip to main content

How to Setup Google Cloud Credentials for Automation (GitHub Actions, GCP, Service Account)

In this article, I will show you how to set up Google Cloud Platform (GCP) automation credentials by creating a service account. Then you can use the generated credentials (keys) to automate access using the gcloud command line tool, GitHub Actions, CircleCI, etc.

info

These instructions were written and tested on a Mac.

This article was mostly written by ChatGPT and I just cleaned it up.

Step 1. Create a Service Account

A service account is a special kind of account used by applications, not people. It's intended to provide specific, scoped access to your GCP resources.

1.1. Go to the IAM & Admin Page

1.2. Create a Service Account

  • Click on Create Service Account
  • Fill in the service account name and description
  • Click Create

1.3. Grant this service account access to the project

  • Assign the role needed to perform the tasks

For uploading files to a bucket, roles like "Storage Object Admin" or "Storage Object Creator" might be sufficient.

Be careful with the permissions; adhere to the principle of least privilege.

1.4. Create a key

  • Click on Create Key
  • Choose the JSON key type - this will download a JSON file containing your key.
  • Secure this file, as it provides access to your Google Cloud resources

Step 2. Secure the Service Account Key

The downloaded JSON file is what you’ll use to authenticate your GitHub Action with Google Cloud. However, you shouldn’t just put this file in your repository. Instead:

2.1. Go to Your Repository on GitHub

  • Open the repository where you want to use the GitHub Action

2.2. Store the JSON Key as a Secret

In the repo:

  • Navigate to Settings > Secrets
  • Click on New repository secret
  • Name the secret (e.g., GCP_SA_KEY) and paste the entire JSON file content into the value field

Step 3. Use the Service Account Key in GitHub Actions

In a GitHub Actions workflow file (a .yml file under .gitub/workflows), you can use the secret as an environment variable or directly in steps.

For example:

- name: Authorize GCP
  uses: 'google-github-actions/auth@v2'
  with:
    credentials_json:  ${{ secrets.GCP_SA_KEY }}

# Step to Authenticate with GCP
- name: Set up Cloud SDK
  uses: google-github-actions/setup-gcloud@v2
  with:
    version: '>= 363.0.0'
    project_id: ${{ secrets.GCP_PROJECT_ID }}

In this snippet, ${{ secrets.GCP_SA_KEY }} will be replaced by the content of the GCP_SA_KEY secret you set in your repository's settings, effectively authenticating your GitHub Action with Google Cloud.

tip

For a little bit of extra security I prefer to store the GCP project id as a secret too.

At least set it up as a regular variable so it's not hard coded in your action.

Step 4. Additional Security Measures

4.1 Least Privilege

Ensure the service account has only the permissions necessary to perform its tasks. Avoid using roles with extensive permissions unless absolutely necessary

4.2 Audit and Rotate Keys

Regularly check who has access to your service account keys and rotate them if necessary.

Conclusion

In this article you learned how to create credentials for the Google Cloud Platform that can be used in automation. Now you can create pipelines in GitHub Actions, etc. to run automated tasks on your behalf.

By following these steps, your pipeline should be able to securely authenticate with Google Cloud and perform tasks like uploading files to a GCS bucket. Remember to handle your service account keys with care, as they provide direct access to your Google Cloud resources.