-
Notifications
You must be signed in to change notification settings - Fork 507
Using GAM7 with keyless authentication Workload Identity Federation
GitHub Action edited this page Sep 22, 2025
·
1 revision
Important: This method is designed for running GAM7 outside of Google Cloud (on-premises, other cloud providers, CI/CD systems). If you're running GAM7 inside Google Cloud, use attached service accounts on Google Compute Engine instead, which provides the same keyless benefits with simpler configuration.
This guide explains how to configure GAM7 to use Google Cloud's Workload Identity Federation for keyless authentication. This is Google's officially recommended authentication method for enhanced security and simplified credential management.
- Overview
- Prerequisites
- Setup Steps
- AWS Configuration
- GitHub Actions Configuration
- Clean Up
- Security Best Practices
- Troubleshooting
- Benefits
- References
Workload Identity Federation allows GAM7 to authenticate to Google Cloud services without storing long-lived service account keys. Instead, it uses short-lived tokens from external identity providers like AWS, Azure, or GitHub Actions, eliminating the security risks associated with managing static credentials.
- GAM7 installed and configured
- Run
gam configto generate thegam.cfgfile - Run
gam create/use projectto generate theoauth2service.jsonfile - Optionally enable DASA
gam config enable_dasa true admin_email admin@domain.com customer_id domain domain.com save
- Run
- Google Cloud CLI (gcloud) installed and configured
- Install gcloud CLI
- Run
gcloud auth loginto authenticate - Run
gcloud config set project PROJECT_IDto set your project - Alternative: Use the Google Cloud Console web interface to perform the same operations
- Google Cloud project with appropriate APIs enabled
- External identity provider (AWS, Azure, GitHub Actions, etc.)
- Appropriate permissions to create Workload Identity Pools and manage IAM
gcloud services enable iamcredentials.googleapis.com
gcloud services enable sts.googleapis.comgcloud iam workload-identity-pools create POOL_ID \
--location="global" \
--description="Pool for GAM authentication"You can either create a new service account or reuse an existing one that has the necessary permissions.
gcloud iam service-accounts create SERVICE_ACCOUNT_ID \
--description="Service account for GAM operations" \
--display-name="GAM Service Account"If you already have a service account with appropriate Google Workspace permissions (typically the one created during GAM7 initial setup), you can reuse it. Just note the service account email for the next steps.
# List existing service accounts to find the one you want to use
gcloud iam service-accounts list# Grant necessary Google Workspace permissions
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
--role="roles/iam.serviceAccountTokenCreator"gcloud iam workload-identity-pools providers create-aws PROVIDER_ID \
--workload-identity-pool="POOL_ID" \
--account-id="YOUR_AWS_ACCOUNT_ID" \
--location="global"gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_EMAIL \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.aws_role/arn:aws:sts::YOUR_AWS_ACCOUNT:assumed-role/YOUR_ROLE_NAME"Create a JSON file with your Workload Identity Federation configuration:
For AWS IMDSv1
gcloud iam workload-identity-pools create-cred-config \
projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
--service-account=SERVICE_ACCOUNT_EMAIL \
--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME \
--aws \
--output-file=FILEPATH.jsonFor AWS IMDSv2
gcloud iam workload-identity-pools create-cred-config \
projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
--service-account=SERVICE_ACCOUNT_EMAIL \
--aws \
--enable-imdsv2 \
--output-file=FILEPATH.jsonSet the environment variable to use the credential file:
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/credential-configurations.json"Open the oauth2service.json file, and set the key_type to signjwt.
...
"key_type": "signjwt",
...
gam version
gam info usergcloud iam workload-identity-pools providers create-oidc PROVIDER_ID \
--workload-identity-pool="POOL_ID" \
--issuer-uri="https://token.actions.githubusercontent.com" \
--attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository" \
--attribute-condition="assertion.repository_owner=='YOUR_GITHUB_ORGANIZATION'"
--location="global"gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_EMAIL \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.repository/YOUR_GITHUB_ORG/YOUR_REPO".github/workflows/example.yml
name: GAM Operations
on: [push]
jobs:
gam-job:
runs-on: ubuntu-24.04
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
- name: Download and install GAM
run: |
bash <(curl -s -S -L https://git.io/gam-install) -l
- name: Copy GAM configs into target dir
# Make sure to remove the private key from oauth2service.json and set `key_type` to `signjwt`
run: |
cp ./gam.cfg ~/.gam/gam.cfg
cp ./oauth2service.json ~/.gam/oauth2service.json
# # For debugging GitHub identity tokens
# - name: Print out GitHub OIDC token
# uses: github/actions-oidc-debugger@2e9ba5d3f4bebaad1f91a2cede055115738b7ae8
# with:
# audience: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
create_credentials_file: true
workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID'
service_account: 'SERVICE_ACCOUNT_EMAIL'
- name: Run GAM commands
run: |
~/bin/gam7/gam info userAfter verifying that gam is working as expected, delete the old key if it's no longer in use.
gcloud iam service-accounts keys delete KEY_ID --iam-account=SERVICE_ACCOUNT_EMAILAlso remove it from the oauth2service.json file.
...
"private_key": "",
"private_key_id": "",
...
- Principle of Least Privilege: Grant only necessary permissions to the service account
- Attribute Conditions: Use attribute conditions to restrict access based on specific criteria
- Regular Auditing: Regularly review and audit Workload Identity Federation configurations
- Token Lifetime: Configure appropriate token lifetimes for your use case
-
Authentication Errors
- Verify the audience URL matches your Workload Identity Pool
- Check that the external identity has permission to impersonate the service account
-
Permission Denied
- Ensure the service account has necessary Google Workspace permissions
- Verify domain-wide delegation is configured if required
-
Token Expiration
- Tokens are automatically refreshed by the Google Auth libraries
- Check network connectivity to Google STS endpoints
# Test authentication
gcloud auth print-access-token
# Verify service account impersonation
gcloud auth print-access-token --impersonate-service-account=SERVICE_ACCOUNT_EMAIL
# Check GAM authentication
gam info user- Reduced Attack Surface: Short-lived tokens minimize exposure window if compromised
- Reduced Operational Cost: Eliminates the overhead of managing and rotating service account keys
- Improved Scalability: Easily scale across multiple environments without distributing keys
- Better Integration: Native integration with cloud provider identity systems (AWS IAM, GitHub OIDC)
- Compliance: Meets security requirements for keyless authentication
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Verifying a GAM7 Build is Legitimate and Official
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with keyless authentication - Workload Identity Federation
- Using GAM7 with a YubiKey
- GAM with minimal GCP rights
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Business Account Management
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Classroom - Student Groups
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts
- Email Audit Monitor
- Find File Owner
- Global Address List
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Unmanaged Accounts
- Users
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Classroom - Profile
- Users - Contacts - Delegates
- Users - Deprovision
- Users - Group Membership
- Users - Photo
- Users - Profile Sharing
- Users - Signout and Turn off 2-Step Verification
- Users - Tokens
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Contacts
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Keep - Notes
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Profile Photo
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tag Manager
- Users - Tasks
- Users - YouTube
- Users - Web Resources and Sites