GCP Workload Identity Federation & SQL Proxy Setup
Overview
A set of GCP setup scripts that configure keyless GitHub Actions deployments via Workload Identity Federation and provide Cloud SQL Auth Proxy launchers for local database access. It removes long-lived service-account keys from CI in favor of federated OIDC identity.
Why It Exists
Storing GCP service-account JSON keys in CI is a security liability. The team needed GitHub Actions to deploy to Cloud Run and Cloud Composer using short-lived, federated credentials instead, plus a quick way to tunnel into Cloud SQL during development.
What We Built
setup-workload-identity.sh provisions a Workload Identity Pool and GitHub OIDC provider, creates dedicated service accounts for two deployment paths, a Cloud Run service and a Cloud Composer/Airflow DAG deployer, and binds the least-privilege roles each needs (run.admin, artifactregistry.writer, storage access, etc.). cloud-sql-proxy.sh and hits-station-proxy.sh wrap the Cloud SQL Auth Proxy with overridable project/instance/region/port env vars for local PostgreSQL access. Documentation (README-WORKLOAD-IDENTITY.md, SETUP-SUMMARY.md) records the required roles and flow; the Google Cloud SDK is vendored alongside.
Technologies & Approach
Bash automation over the gcloud CLI, applying Workload Identity Federation so GitHub Actions exchange their OIDC token for short-lived GCP credentials with no stored keys. Role assignments follow least-privilege per deployment target; Cloud SQL access uses the official auth proxy.
Outcome / Impact
Delivered a documented, repeatable, keyless CI/CD security posture for GCP deployments and frictionless local database connectivity. Demonstrates solid cloud IAM and supply-chain-security practice.
Capabilities Demonstrated
- Keyless GitHub Actions to GCP via Workload Identity Federation (OIDC)
- Least-privilege IAM and service-account design
- Cloud Run / Cloud Composer deployment enablement
- Cloud SQL Auth Proxy developer tooling