Is the workload_identity_provider or the service_account a secret?

This issue has been tracked since 2022-11-23.


Update answering: Is Workload Identity Provider resource name considered a secret?

Detailed design

Please update #setup in
and explicitly state whether or not it is recommended to store the WORKLOAD_IDENTITY_POOL_ID generated in Step 6 and/or the Workload Identity Provider resource name value generated at Step 9 as a GitHub secret.

Additional information

Please also update

And if it is a secret, please replace the example usages of workload_identity_provider: accordingly.

github-actions[bot] wrote this answer on 2022-11-25

Hi there @TWiStErRob 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo wrote this answer on 2022-11-25

Hi @TWiStErRob - there's no "right" answer here, as it depends on your threat model and repository setup. WIF pools, WIF providers, and service account email addresses are not secrets like private keys or passwords, but then can reveal information depending on your naming scheme (similar to project IDs). Knowing the WIF pool or provider does not grant access to it, so it's really dependent on your naming scheme and threat model.

Furthermore, there are reasons why you might use GitHub Secrets for non-secret values. For example, if you provisioned all your repositories using an IaC tool like Terraform, you might want to inject values into the GitHub repo. The easiest way to do that is via secrets, even if the values themselves are not "secret". I hope that helps.

TWiStErRob wrote this answer on 2022-11-25

Make sense, thanks. Could you please add this in some form to the readme?

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3


Issue Title Created Date Updated Date