feat: wif authentication for google buckets (#1254)

ricky-undeadcoders · web-flow · commit bc6c0a6a58fb · 2025-09-10T17:17:09.000Z
* feat: WIP authentication for GCS

* Fix code issue and apply recommended change
diff --git a/actions/login-to-gcs/README.md b/actions/login-to-gcs/README.md
@@ -38,11 +38,12 @@ $ gcloud storage cp OBJECT_LOCATION gs://DESTINATION_BUCKET_NAME
 
 ## Inputs
 
-| Name              | Type   | Description                                                                                                       |
-| ----------------- | ------ | ----------------------------------------------------------------------------------------------------------------- |
-| `bucket`          | String | Name of bucket to upload to. Will default to grafanalabs-${repository.name}-${environment}                        |
-| `environment`     | String | Environment for pushing artifacts (can be either dev or prod).                                                    |
-| `service_account` | String | Service account to use for authentication. Use it only when the service account is different than the default one |
+| Name              | Type    | Description                                                                                                       |
+| ----------------- | ------- | ----------------------------------------------------------------------------------------------------------------- |
+| `bucket`          | String  | Name of bucket to upload to. Will default to grafanalabs-${repository.name}-${environment}                        |
+| `environment`     | String  | Environment for pushing artifacts (can be either dev or prod).                                                    |
+| `service_account` | String  | Service account to use for authentication. Use it only when the service account is different than the default one |
+| `use_wif_auth`    | Boolean | Use WIF authentication. Overrides the `service_account` input.                                                    |
 
 ## Outputs
 
diff --git a/actions/login-to-gcs/action.yaml b/actions/login-to-gcs/action.yaml
@@ -18,6 +18,11 @@ inputs:
       Delete the credentials file after the action is finished.
       If you want to keep the credentials file for a later step, set this to false.
     default: "false"
+  use_wif_auth:
+    description: |
+      Use WIF for authentication instead of service account.
+    required: false
+    default: "false"
 
 outputs:
   bucket:
@@ -58,20 +63,25 @@ runs:
         fi
         echo "bucket=${BUCKET}" | tee -a ${GITHUB_OUTPUT}
 
-        # Construct service account
-        if [[ "${SERVICE_ACCOUNT}" == "" ]]; then
-          SERVICE_ACCOUNT="github-${{ github.repository_id }}-${ENVIRONMENT}-gcs@grafanalabs-workload-identity.iam.gserviceaccount.com"
+        # set up a service account only if we're NOT using WIF auth.
+        if [[ "${USE_WIF_AUTH}" != "true" ]]; then
+          # Construct service account
+          if [[ "${SERVICE_ACCOUNT}" == "" ]]; then
+            SERVICE_ACCOUNT="github-${{ github.repository_id }}-${ENVIRONMENT}-gcs@grafanalabs-workload-identity.iam.gserviceaccount.com"
+          fi
+          echo "service_account=${SERVICE_ACCOUNT}" | tee -a ${GITHUB_OUTPUT}
         else
-          SERVICE_ACCOUNT="${SERVICE_ACCOUNT}"
+          echo "service_account=" | tee -a ${GITHUB_OUTPUT}
         fi
-        echo "service_account=${SERVICE_ACCOUNT}" | tee -a ${GITHUB_OUTPUT}
       env:
         BUCKET: ${{ inputs.bucket }}
         ENVIRONMENT: ${{ inputs.environment }}
         SERVICE_ACCOUNT: ${{ inputs.service_account }}
+        USE_WIF_AUTH: ${{ inputs.use_wif_auth }}
     - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
       id: gcloud-auth
       with:
+        project_id: "grafanalabs-workload-identity"
         workload_identity_provider: "projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider"
         service_account: ${{ steps.construct-account-vars.outputs.service_account }}
     - name: Delete Google Application Credentials file
diff --git a/actions/push-to-gcs/README.md b/actions/push-to-gcs/README.md
@@ -126,6 +126,10 @@ jobs:
 | `parent`                  | String  | Whether parent dir should be included in GCS destination. Dirs included in the `glob` statement are unaffected by this setting.                                                              |
 | `predefinedAcl`           | String  | Predefined ACL applied to the uploaded objects. Default is `projectPrivate`. See [Google Documentation][gcs-docs-upload-options] for a list of available options.                            |
 | `delete_credentials_file` | Boolean | Delete the credentials file after the action is finished. If you want to keep the credentials file for a later step, set this to false. (Default: `true`)                                    |
+| `use_wif_auth`            | Boolean | Use WIF authentication. Overrides the `service_account` input.                                                                                                                               |
+
+> [!TIP]
+> To use WIF authentication you must enable `uniform_bucket_level_access` on the destination bucket. If you are at Grafana Labs, instructions can be found [here](https://enghub.grafana-ops.net/docs/default/component/deployment-tools/platform/continuous-integration/google-artifact-registry/). More info can be found in [Google's docs](https://cloud.google.com/storage/docs/uniform-bucket-level-access).
 
 ## Outputs
 
diff --git a/actions/push-to-gcs/action.yaml b/actions/push-to-gcs/action.yaml
@@ -45,6 +45,11 @@ inputs:
     description: |
       If true, then upload files with `content-encoding: gzip`
     default: "true"
+  use_wif_auth:
+    description: |
+      Use WIF for authentication instead of service account.
+    required: false
+    default: "false"
 
 outputs:
   uploaded:
@@ -87,6 +92,7 @@ runs:
         environment: ${{ inputs.environment }}
         service_account: ${{ inputs.bucket && inputs.service_account || '' }}
         delete_credentials_file: false
+        use_wif_auth: ${{ inputs.use_wif_auth }}
     - name: Construct path
       id: construct-path
       shell: bash
@@ -106,7 +112,7 @@ runs:
         glob: ${{ inputs.glob }}
         destination: ${{ steps.construct-path.outputs.destination }} # bucket name plus folder prefix (if applicable)
         parent: ${{ inputs.parent }}
-        predefinedAcl: ${{ inputs.predefinedAcl }}
+        predefinedAcl: ${{ inputs.use_wif_auth == 'true' && ' ' || inputs.predefinedAcl }} # when using WIF auth, we cannot use predefinedAcl
         gzip: ${{ inputs.gzip }}
         process_gcloudignore: false
 
