GCP Workload Identity Federation & SQL Proxy Setup

Overview

A set of GCP setup scripts that configure keyless GitHub Actions deployments via Workload Identity Federation and provide Cloud SQL Auth Proxy launchers for local database access. It removes long-lived service-account keys from CI in favor of federated OIDC identity.

Why It Exists

Storing GCP service-account JSON keys in CI is a security liability. The team needed GitHub Actions to deploy to Cloud Run and Cloud Composer using short-lived, federated credentials instead, plus a quick way to tunnel into Cloud SQL during development.

What We Built

setup-workload-identity.sh provisions a Workload Identity Pool and GitHub OIDC provider, creates dedicated service accounts for two deployment paths, a Cloud Run service and a Cloud Composer/Airflow DAG deployer, and binds the least-privilege roles each needs (run.admin, artifactregistry.writer, storage access, etc.). cloud-sql-proxy.sh and hits-station-proxy.sh wrap the Cloud SQL Auth Proxy with overridable project/instance/region/port env vars for local PostgreSQL access. Documentation (README-WORKLOAD-IDENTITY.md, SETUP-SUMMARY.md) records the required roles and flow; the Google Cloud SDK is vendored alongside.

Technologies & Approach

Bash automation over the gcloud CLI, applying Workload Identity Federation so GitHub Actions exchange their OIDC token for short-lived GCP credentials with no stored keys. Role assignments follow least-privilege per deployment target; Cloud SQL access uses the official auth proxy.

Outcome / Impact

Delivered a documented, repeatable, keyless CI/CD security posture for GCP deployments and frictionless local database connectivity. Demonstrates solid cloud IAM and supply-chain-security practice.

Capabilities Demonstrated

• Keyless GitHub Actions to GCP via Workload Identity Federation (OIDC)
• Least-privilege IAM and service-account design
• Cloud Run / Cloud Composer deployment enablement
• Cloud SQL Auth Proxy developer tooling