GitHub Actions + Terraform + GCP\uff08OIDC\uff09\u5728\u4e2d\u56fd\u672c\u571f\u5316\u540e\u52a0\u4ee5\u5229\u7528\u3002<\/p>\n
\u6b65\u9aa4<\/p>\n
\u5728GitHub Actions\u4e2d\u521b\u5efa\u4e00\u4e2aService Account\u5e76\u6388\u4e88Editor\u89d2\u8272\u3002\uff08\u6b64\u6b21\u5728\u63a7\u5236\u53f0\u4e0a\u8fdb\u884c\u64cd\u4f5c\u3002\uff09<\/p>\n
\u8bbe\u5b9a\u53d8\u91cf<\/p>\n
export <\/span>PROJECT_ID<\/span>=<\/span><your project id<\/span>><\/span>\r\nexport <\/span>POOL_NAME<\/span>=<\/span><pool name> # github-actions <\/span>\r\nexport <\/span>PROVIDER_NAME<\/span>=<\/span><provider name> # gha-provider<\/span>\r\nexport <\/span>SA_EMAIL<\/span>=<\/span><service_account name>@<project_name>.iam.gserviceaccount.com\r\nexport <\/span>GITHUB_REPO<\/span>=<\/span><org>\/<repo_name>\r\n<\/code><\/pre>\n\u542f\u7528iamcredentials API<\/p>\n
gcloud services enable <\/span>iamcredentials.googleapis.com --project<\/span> \"<\/span>${<\/span>PROJECT_ID<\/span>}<\/span>\"<\/span>\r\n<\/code><\/pre>\n\u5c06 workload-identity-pools \u521b\u5efa\u5e76\u5c06\u5176 ID \u5b58\u50a8\u5728\u53d8\u91cf WORKLOAD_IDENTITY_POOL_ID \u4e2d\u3002<\/p>\n
gcloud iam workload-identity-pools create \"<\/span>${<\/span>POOL_NAME<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --project<\/span>=<\/span>\"<\/span>${<\/span>PROJECT_ID<\/span>}<\/span>\"<\/span> --location<\/span>=<\/span>\"global\"<\/span> \\<\/span>\r\n --display-name<\/span>=<\/span>\"use from GitHub Actions\"<\/span>\r\nexport <\/span>WORKLOAD_IDENTITY_POOL_ID<\/span>=<\/span>$(<\/span> \\<\/span>\r\n gcloud iam workload-identity-pools describe \"<\/span>${<\/span>POOL_NAME<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --project<\/span>=<\/span>\"<\/span>${<\/span>PROJECT_ID<\/span>}<\/span>\"<\/span> --location<\/span>=<\/span>\"global\"<\/span> \\<\/span>\r\n --format<\/span>=<\/span>\"value(name)\"<\/span> \\<\/span>\r\n )<\/span>\r\n<\/code><\/pre>\n\u786e\u8ba4 WORKLOAD_IDENTITY_POOL_ID \u7684\u5185\u5bb9<\/p>\n
echo $WORKLOAD_IDENTITY_POOL_ID\r\n<\/code><\/pre>\n\u4e3aGitHub\u521b\u5efaOIDC providers\u7684\u5de5\u4f5c\u8d1f\u8f7d\u8eab\u4efd\u6c60\u3002<\/p>\n
gcloud iam workload-identity-pools providers create-oidc \"<\/span>${<\/span>PROVIDER_NAME<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --project<\/span>=<\/span>\"<\/span>${<\/span>PROJECT_ID<\/span>}<\/span>\"<\/span> --location<\/span>=<\/span>\"global\"<\/span> \\<\/span>\r\n --workload-identity-pool<\/span>=<\/span>\"<\/span>${<\/span>POOL_NAME<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --display-name<\/span>=<\/span>\"use from GitHub Actions provider\"<\/span> \\<\/span>\r\n --attribute-mapping<\/span>=<\/span>\"google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.actor=assertion.actor,attribute.aud=assertion.aud\"<\/span> \\<\/span>\r\n --issuer-uri<\/span>=<\/span>\"https:\/\/token.actions.githubusercontent.com\"<\/span>\r\n<\/code><\/pre>\n\u5c06\u670d\u52a1\u8d26\u53f7\u7ed1\u5b9a\u5230\u7b56\u7565 (\u7ed1\u5b9a\u7b56\u7565\u5230\u670d\u52a1\u8d26\u53f7)<\/p>\n
gcloud iam service-accounts add-iam-policy-binding \"<\/span>${<\/span>SA_EMAIL<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --project<\/span>=<\/span>\"<\/span>${<\/span>PROJECT_ID<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --role<\/span>=<\/span>\"roles\/iam.workloadIdentityUser\"<\/span> \\<\/span>\r\n --member<\/span>=<\/span>\"principalSet:\/\/iam.googleapis.com\/<\/span>${<\/span>WORKLOAD_IDENTITY_POOL_ID<\/span>}<\/span>\/attribute.repository\/<\/span>${<\/span>GITHUB_REPO<\/span>}<\/span>\"<\/span>\r\n<\/code><\/pre>\n\u63cf\u8ff0\u63d0\u4f9b\u8005\uff0c\u5e76\u786e\u8ba4\u5de5\u4f5c\u8d1f\u8f7d\u8eab\u4efd\u63d0\u4f9b\u8005\u3002<\/p>\n
gcloud iam workload-identity-pools providers describe \"<\/span>${<\/span>PROVIDER_NAME<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --project<\/span>=<\/span>\"<\/span>${<\/span>PROJECT_ID<\/span>}<\/span>\"<\/span> --location<\/span>=<\/span>\"global\"<\/span> \\<\/span>\r\n --workload-identity-pool<\/span>=<\/span>\"<\/span>${<\/span>POOL_NAME<\/span>}<\/span>\"<\/span> \\<\/span>\r\n --format<\/span>=<\/span>\"value(name)\"<\/span>\r\n<\/code><\/pre>\n\u7ed3\u679c: workload_identity_provider\uff08GitHub Actions\u914d\u7f6e\u9700\u8981\u8bb0\u4e0b\u6765\u5907\u5fd8\uff09<\/p>\n
projects\/<id>\/locations\/global\/workloadIdentityPools\/<pool_name>\/providers\/<provider_name>\r\n<\/code><\/pre>\n2. \u521b\u5efa(GCP)\u4e91\u5b58\u50a8\u5b58\u50a8\u6876<\/h2>\n
\u9009\u62e9Region\u4e3aasia-northeast1\uff08\u4e1c\u4eac\uff09\uff0c\u5176\u4f59\u5168\u90e8\u4f7f\u7528\u9ed8\u8ba4\u8bbe\u7f6e\u521b\u5efa\u5b58\u50a8\u6876\u3002<\/p>\n
3. \u51c6\u5907terraform\u4ee3\u7801\u3002<\/h2>\n
\u672c\u6b21\uff0c\u6211\u4eec\u5c06\u628aTerraform\u7684\u4ee3\u7801\u653e\u5728\u540d\u4e3agcp\u7684\u6587\u4ef6\u5939\u4e0b\uff08\u901a\u8fc7GitHub Actions\u7684WORKING_DIR\u53c2\u6570\u8bbe\u7f6e\u4e3agcp\uff0c\u6216\u8005\u786e\u4fdd\u5728gcp\u6587\u4ef6\u5939\u5185\u8fdb\u884c\u4ee3\u7801\u66f4\u6539\u4ee5\u4f7fGitHub Actions\u6b63\u5e38\u8fd0\u884c\uff09\u3002<\/p>\n
terraform<\/span> {<\/span>\r\n required_providers<\/span> {<\/span>\r\n google<\/span> =<\/span> {<\/span>\r\n source<\/span> =<\/span> \"hashicorp\/google\"<\/span>\r\n version<\/span> =<\/span> \"~> 4.0\"<\/span> # OIDC https:\/\/github.com\/hashicorp\/terraform-provider-google\/releases\/tag\/v3.61.0 or later<\/span>\r\n }<\/span>\r\n }<\/span>\r\n\r\n backend<\/span> \"gcs\"<\/span> {<\/span>\r\n bucket<\/span> =<\/span> \"<bucket_name>\"<\/span>\r\n prefix<\/span> =<\/span> \"state\"<\/span> # any prefix is ok.<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nterraform init\r\n<\/code><\/pre>\n\u8bf7\u5c06.terraform.lock.hcl\u4e5f\u5b89\u88c5\u597d\u3002<\/p>\n
\u6bcf\u6b21\u8fd0\u884c terraform init \u547d\u4ee4\u65f6\uff0cTerraform \u4f1a\u81ea\u52a8\u521b\u5efa\u6216\u66f4\u65b0\u4f9d\u8d56\u9501\u5b9a\u6587\u4ef6\u3002\u4f60\u5e94\u8be5\u5c06\u8be5\u6587\u4ef6\u5305\u542b\u5728\u4f60\u7684\u7248\u672c\u63a7\u5236\u5e93\u4e2d\u3002<\/p><\/blockquote>\n
<\/p>\n
4. \u521b\u5efaGitHub Actions<\/h2>\n
\u4ece\u4e4b\u524d\u8bbe\u7f6e\u7684\u670d\u52a1\u5e10\u6237\u4e2d\u83b7\u53d6\u6240\u9700\u4fe1\u606f\u3002<\/p>\n
workload_identity_provider: projects\/\/locations\/global\/workloadIdentityPools\/\/providers\/<\/p>\n
service_account: @.iam.gserviceaccount.com<\/p>\n
\u6211\u5011\u9019\u6b21\u8981\u505a\u7684GitHub Actions\u662f\uff1a<\/p>\n
\n- \n
\u5f53\u6709\u4e86\u8ba1\u5212\u5e76\u5728\u516c\u5173\u4e2d\u8fdb\u884c\u4e86\u8bc4\u8bba\u540e\uff0c\u5373\u53ef\u5728\u516c\u5173\u4e2d\u5199\u4e0b\u7ed3\u679c\u3002<\/ol>\n<\/li>\n<\/ol>\n\u5f53\u5408\u5e76\u5230\u4e3b\u5206\u652f\u540e\uff0c\u8bf7\u5e94\u7528\u3002<\/p>\n
name<\/span>:<\/span> gcp<\/span>\r\non<\/span>:<\/span>\r\n pull_request<\/span>:<\/span>\r\n paths<\/span>:<\/span>\r\n -<\/span> '<\/span>gcp\/**'<\/span>\r\n -<\/span> '<\/span>!gcp\/**md'<\/span>\r\n -<\/span> '<\/span>.github\/workflows\/gcp.yml'<\/span>\r\n branches<\/span>:<\/span>\r\n -<\/span> main<\/span>\r\n push<\/span>:<\/span>\r\n paths<\/span>:<\/span>\r\n -<\/span> '<\/span>gcp\/**'<\/span>\r\n -<\/span> '<\/span>!gcp\/**md'<\/span>\r\n -<\/span> '<\/span>