Update readme.md answering: Is Workload Identity Provider resource name considered a secret?
Please update #setup in README.md
https://github.com/google-github-actions/auth/blob/main/README.md#setup
and explicitly state whether or not it is recommended to store the WORKLOAD_IDENTITY_POOL_ID generated in Step 6 and/or the Workload Identity Provider resource name value generated at Step 9 as a GitHub secret.
Please also update https://github.com/google-github-actions/auth/blob/main/action.yml#L28.
And if it is a secret, please replace the example usages of workload_identity_provider: accordingly.
Hi there @TWiStErRob
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @TWiStErRob - there's no "right" answer here, as it depends on your threat model and repository setup. WIF pools, WIF providers, and service account email addresses are not secrets like private keys or passwords, but then can reveal information depending on your naming scheme (similar to project IDs). Knowing the WIF pool or provider does not grant access to it, so it's really dependent on your naming scheme and threat model.
Furthermore, there are reasons why you might use GitHub Secrets for non-secret values. For example, if you provisioned all your repositories using an IaC tool like Terraform, you might want to inject values into the GitHub repo. The easiest way to do that is via secrets, even if the values themselves are not "secret". I hope that helps.
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|