gcp-auth
Installation
Entrypoint
Types
GcpAuth

gcp-auth

Provides container authentication via service account JSON keys, OIDC/Workload Identity Federation,
Application Default Credentials (ADC), and access token generation for Google Cloud services.

Installation

dagger install github.com/telchak/daggerverse/gcp-auth@v0.1.0

Entrypoint

Return Type

GcpAuth !

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \

func (m *MyModule) Example() *dagger.GcpAuth  {
	return dag.
			GcpAuth()
}

@function
def example() -> dagger.GcpAuth:
	return (
		dag.gcp_auth()
	)

@func()
example(): GcpAuth {
	return dag
		.gcpAuth()
}

Types

GcpAuth 🔗

GCP authentication utilities for Dagger pipelines. Supports multiple authentication methods: - Service account credentials (JSON key) - OIDC tokens from any CI provider (via oidc-token module) - Application Default Credentials from host For OIDC authentication, use the oidc-token module to fetch tokens: token = dag.oidc_token().github_token(...) # or gitlab_token, circleci_token gcloud = dag.gcp_auth().gcloud_container_from_oidc_token(token, ...)

accessTokenFromGithubActions() 🔗

Get a GCP access token from GitHub Actions OIDC.

Convenience wrapper for GitHub Actions. Returns an access token for APIs that accept Bearer tokens (e.g., Firebase CLI).

Return Type

Secret !

Arguments

Name	Type	Default Value	Description
workloadIdentityProvider	String !	-	GCP Workload Identity Federation provider
projectId	String !	-	GCP project ID
oidcRequestToken	Secret !	-	ACTIONS_ID_TOKEN_REQUEST_TOKEN
oidcRequestUrl	Secret !	-	ACTIONS_ID_TOKEN_REQUEST_URL
serviceAccountEmail	String	null	Service account to impersonate

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 access-token-from-github-actions --workload-identity-provider string --project-id string --oidc-request-token env:MYSECRET --oidc-request-url env:MYSECRET

func (m *MyModule) Example(workloadIdentityProvider string, projectId string, oidcRequestToken *dagger.Secret, oidcRequestUrl *dagger.Secret) *dagger.Secret  {
	return dag.
			GcpAuth().
			AccessTokenFromGithubActions(workloadIdentityProvider, projectId, oidcRequestToken, oidcRequestUrl)
}

@function
def example(workload_identity_provider: str, project_id: str, oidc_request_token: dagger.Secret, oidc_request_url: dagger.Secret) -> dagger.Secret:
	return (
		dag.gcp_auth()
		.access_token_from_github_actions(workload_identity_provider, project_id, oidc_request_token, oidc_request_url)
	)

@func()
example(workloadIdentityProvider: string, projectId: string, oidcRequestToken: Secret, oidcRequestUrl: Secret): Secret {
	return dag
		.gcpAuth()
		.accessTokenFromGithubActions(workloadIdentityProvider, projectId, oidcRequestToken, oidcRequestUrl)
}

accessTokenFromOidcToken() 🔗

Get a GCP access token from an OIDC token.

Returns an access token for APIs that accept Bearer tokens (e.g., Firebase CLI). For SDKs that use ADC, use with_oidc_token() or gcloud_container_from_oidc_token() instead.

Return Type

Secret !

Arguments

Name	Type	Default Value	Description
oidcToken	Secret !	-	OIDC JWT token from any CI provider
workloadIdentityProvider	String !	-	GCP Workload Identity Federation provider
projectId	String !	-	GCP project ID
serviceAccountEmail	String	null	Service account to impersonate

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 access-token-from-oidc-token --oidc-token env:MYSECRET --workload-identity-provider string --project-id string

func (m *MyModule) Example(oidcToken *dagger.Secret, workloadIdentityProvider string, projectId string) *dagger.Secret  {
	return dag.
			GcpAuth().
			AccessTokenFromOidcToken(oidcToken, workloadIdentityProvider, projectId)
}

@function
def example(oidc_token: dagger.Secret, workload_identity_provider: str, project_id: str) -> dagger.Secret:
	return (
		dag.gcp_auth()
		.access_token_from_oidc_token(oidc_token, workload_identity_provider, project_id)
	)

@func()
example(oidcToken: Secret, workloadIdentityProvider: string, projectId: string): Secret {
	return dag
		.gcpAuth()
		.accessTokenFromOidcToken(oidcToken, workloadIdentityProvider, projectId)
}

configureDockerAuth() 🔗

Configure Docker authentication for GCP Artifact Registry.

Return Type

Container !

Arguments

Name	Type	Default Value	Description
container	Container !	-	Container with Docker CLI
credentials	Secret !	-	GCP service account credentials
registries	[String ! ]	null	Artifact Registry hostnames

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 configure-docker-auth --container IMAGE:TAG --credentials env:MYSECRET

func (m *MyModule) Example(container *dagger.Container, credentials *dagger.Secret) *dagger.Container  {
	return dag.
			GcpAuth().
			ConfigureDockerAuth(container, credentials)
}

@function
def example(container: dagger.Container, credentials: dagger.Secret) -> dagger.Container:
	return (
		dag.gcp_auth()
		.configure_docker_auth(container, credentials)
	)

@func()
example(container: Container, credentials: Secret): Container {
	return dag
		.gcpAuth()
		.configureDockerAuth(container, credentials)
}

gcloudContainer() 🔗

Create authenticated gcloud SDK container using service account key.

For OIDC-based authentication, use gcloud_container_from_oidc_token() instead.

Return Type

Container !

Arguments

Name	Type	Default Value	Description
credentials	Secret !	-	GCP service account credentials (JSON key)
projectId	String !	-	GCP project ID
region	String !	"us-central1"	Default GCP region
image	String !	"google/cloud-sdk:alpine"	Google Cloud SDK image
components	[String ! ]	null	Additional gcloud components

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 gcloud-container --credentials env:MYSECRET --project-id string --region string --image string

func (m *MyModule) Example(credentials *dagger.Secret, projectId string, region string, image string) *dagger.Container  {
	return dag.
			GcpAuth().
			GcloudContainer(credentials, projectId, region, image)
}

@function
def example(credentials: dagger.Secret, project_id: str, region: str, image: str) -> dagger.Container:
	return (
		dag.gcp_auth()
		.gcloud_container(credentials, project_id, region, image)
	)

@func()
example(credentials: Secret, projectId: string, region: string, image: string): Container {
	return dag
		.gcpAuth()
		.gcloudContainer(credentials, projectId, region, image)
}

gcloudContainerFromGithubActions() 🔗

Create authenticated gcloud container using GitHub Actions OIDC.

Convenience wrapper that uses oidc-token module to fetch the token. Equivalent to: dag.oidc_token().github_token() + gcloud_container_from_oidc_token()

Return Type

Container !

Arguments

Name	Type	Default Value	Description
workloadIdentityProvider	String !	-	GCP Workload Identity Federation provider
projectId	String !	-	GCP project ID
oidcRequestToken	Secret !	-	ACTIONS_ID_TOKEN_REQUEST_TOKEN
oidcRequestUrl	Secret !	-	ACTIONS_ID_TOKEN_REQUEST_URL
serviceAccountEmail	String	null	Service account to impersonate
region	String !	"us-central1"	Default GCP region
image	String !	"google/cloud-sdk:alpine"	Google Cloud SDK image

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 gcloud-container-from-github-actions --workload-identity-provider string --project-id string --oidc-request-token env:MYSECRET --oidc-request-url env:MYSECRET --region string --image string

func (m *MyModule) Example(workloadIdentityProvider string, projectId string, oidcRequestToken *dagger.Secret, oidcRequestUrl *dagger.Secret, region string, image string) *dagger.Container  {
	return dag.
			GcpAuth().
			GcloudContainerFromGithubActions(workloadIdentityProvider, projectId, oidcRequestToken, oidcRequestUrl, region, image)
}

@function
def example(workload_identity_provider: str, project_id: str, oidc_request_token: dagger.Secret, oidc_request_url: dagger.Secret, region: str, image: str) -> dagger.Container:
	return (
		dag.gcp_auth()
		.gcloud_container_from_github_actions(workload_identity_provider, project_id, oidc_request_token, oidc_request_url, region, image)
	)

@func()
example(workloadIdentityProvider: string, projectId: string, oidcRequestToken: Secret, oidcRequestUrl: Secret, region: string, image: string): Container {
	return dag
		.gcpAuth()
		.gcloudContainerFromGithubActions(workloadIdentityProvider, projectId, oidcRequestToken, oidcRequestUrl, region, image)
}

gcloudContainerFromHost() 🔗

Create authenticated gcloud SDK container using ADC from host.

Return Type

Container !

Arguments

Name	Type	Default Value	Description
projectId	String !	-	GCP project ID
region	String !	"us-central1"	Default GCP region
image	String !	"google/cloud-sdk:alpine"	Google Cloud SDK image
components	[String ! ]	null	Additional gcloud components
gcloudConfigPath	String !	""	Path to gcloud config on host

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 gcloud-container-from-host --project-id string --region string --image string --gcloud-config-path string

func (m *MyModule) Example(projectId string, region string, image string, gcloudConfigPath string) *dagger.Container  {
	return dag.
			GcpAuth().
			GcloudContainerFromHost(projectId, region, image, gcloudConfigPath)
}

@function
def example(project_id: str, region: str, image: str, gcloud_config_path: str) -> dagger.Container:
	return (
		dag.gcp_auth()
		.gcloud_container_from_host(project_id, region, image, gcloud_config_path)
	)

@func()
example(projectId: string, region: string, image: string, gcloudConfigPath: string): Container {
	return dag
		.gcpAuth()
		.gcloudContainerFromHost(projectId, region, image, gcloudConfigPath)
}

gcloudContainerFromOidcToken() 🔗

Create authenticated gcloud container using an OIDC token.

This is the generic, CI-agnostic method. Use the oidc-token module to fetch tokens from your CI provider (GitHub, GitLab, CircleCI, etc.).

Example (GitHub Actions): token = dag.oidc_token().github_token(request_token, request_url, audience) gcloud = dag.gcp_auth().gcloud_container_from_oidc_token(token, wif_provider, project_id)

Example (GitLab CI): token = dag.oidc_token().gitlab_token(ci_job_jwt) gcloud = dag.gcp_auth().gcloud_container_from_oidc_token(token, wif_provider, project_id)

Return Type

Container !

Arguments

Name	Type	Default Value	Description
oidcToken	Secret !	-	OIDC JWT token from any CI provider
workloadIdentityProvider	String !	-	GCP Workload Identity Federation provider
projectId	String !	-	GCP project ID
serviceAccountEmail	String	null	Service account to impersonate
region	String !	"us-central1"	Default GCP region
image	String !	"google/cloud-sdk:alpine"	Google Cloud SDK image

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 gcloud-container-from-oidc-token --oidc-token env:MYSECRET --workload-identity-provider string --project-id string --region string --image string

func (m *MyModule) Example(oidcToken *dagger.Secret, workloadIdentityProvider string, projectId string, region string, image string) *dagger.Container  {
	return dag.
			GcpAuth().
			GcloudContainerFromOidcToken(oidcToken, workloadIdentityProvider, projectId, region, image)
}

@function
def example(oidc_token: dagger.Secret, workload_identity_provider: str, project_id: str, region: str, image: str) -> dagger.Container:
	return (
		dag.gcp_auth()
		.gcloud_container_from_oidc_token(oidc_token, workload_identity_provider, project_id, region, image)
	)

@func()
example(oidcToken: Secret, workloadIdentityProvider: string, projectId: string, region: string, image: string): Container {
	return dag
		.gcpAuth()
		.gcloudContainerFromOidcToken(oidcToken, workloadIdentityProvider, projectId, region, image)
}

getProjectId() 🔗

Extract project ID from credentials (service account key or WIF).

Return Type

String !

Arguments

Name	Type	Default Value	Description
credentials	Secret !	-	GCP service account credentials

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 get-project-id --credentials env:MYSECRET

func (m *MyModule) Example(ctx context.Context, credentials *dagger.Secret) string  {
	return dag.
			GcpAuth().
			GetProjectId(ctx, credentials)
}

@function
async def example(credentials: dagger.Secret) -> str:
	return await (
		dag.gcp_auth()
		.get_project_id(credentials)
	)

@func()
async example(credentials: Secret): Promise<string> {
	return dag
		.gcpAuth()
		.getProjectId(credentials)
}

oidcTokenFromGithubActions() 🔗

Get OIDC JWT token from GitHub Actions with correct GCP audience.

Returns the raw OIDC token that can be used with with_oidc_token() or passed to other modules that accept OIDC tokens for GCP authentication.

This handles the GCP-specific audience format (//iam.googleapis.com/…).

Return Type

Secret !

Arguments

Name	Type	Default Value	Description
workloadIdentityProvider	String !	-	GCP Workload Identity Federation provider
oidcRequestToken	Secret !	-	ACTIONS_ID_TOKEN_REQUEST_TOKEN
oidcRequestUrl	Secret !	-	ACTIONS_ID_TOKEN_REQUEST_URL

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 oidc-token-from-github-actions --workload-identity-provider string --oidc-request-token env:MYSECRET --oidc-request-url env:MYSECRET

func (m *MyModule) Example(workloadIdentityProvider string, oidcRequestToken *dagger.Secret, oidcRequestUrl *dagger.Secret) *dagger.Secret  {
	return dag.
			GcpAuth().
			OidcTokenFromGithubActions(workloadIdentityProvider, oidcRequestToken, oidcRequestUrl)
}

@function
def example(workload_identity_provider: str, oidc_request_token: dagger.Secret, oidc_request_url: dagger.Secret) -> dagger.Secret:
	return (
		dag.gcp_auth()
		.oidc_token_from_github_actions(workload_identity_provider, oidc_request_token, oidc_request_url)
	)

@func()
example(workloadIdentityProvider: string, oidcRequestToken: Secret, oidcRequestUrl: Secret): Secret {
	return dag
		.gcpAuth()
		.oidcTokenFromGithubActions(workloadIdentityProvider, oidcRequestToken, oidcRequestUrl)
}

verifyCredentials() 🔗

Verify GCP credentials and return service account email.

Return Type

String !

Arguments

Name	Type	Default Value	Description
credentials	Secret !	-	GCP service account credentials

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 verify-credentials --credentials env:MYSECRET

func (m *MyModule) Example(ctx context.Context, credentials *dagger.Secret) string  {
	return dag.
			GcpAuth().
			VerifyCredentials(ctx, credentials)
}

@function
async def example(credentials: dagger.Secret) -> str:
	return await (
		dag.gcp_auth()
		.verify_credentials(credentials)
	)

@func()
async example(credentials: Secret): Promise<string> {
	return dag
		.gcpAuth()
		.verifyCredentials(credentials)
}

withCredentials() 🔗

Add GCP service account credentials to container.

For OIDC credentials, use with_oidc_token() instead.

Return Type

Container !

Arguments

Name	Type	Default Value	Description
container	Container !	-	Container to configure
credentials	Secret !	-	GCP service account credentials (JSON)
credentialsPath	String !	"/run/secrets/gcp-credentials.json"	Path for credentials file
exportEnvVars	Boolean !	true	Export GCP environment variables

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 with-credentials --container IMAGE:TAG --credentials env:MYSECRET --credentials-path string --export-env-vars boolean

func (m *MyModule) Example(container *dagger.Container, credentials *dagger.Secret, credentialsPath string, exportEnvVars bool) *dagger.Container  {
	return dag.
			GcpAuth().
			WithCredentials(container, credentials, credentialsPath, exportEnvVars)
}

@function
def example(container: dagger.Container, credentials: dagger.Secret, credentials_path: str, export_env_vars: bool) -> dagger.Container:
	return (
		dag.gcp_auth()
		.with_credentials(container, credentials, credentials_path, export_env_vars)
	)

@func()
example(container: Container, credentials: Secret, credentialsPath: string, exportEnvVars: boolean): Container {
	return dag
		.gcpAuth()
		.withCredentials(container, credentials, credentialsPath, exportEnvVars)
}

withOidcToken() 🔗

Configure container with an OIDC token for GCP authentication.

The token can come from any CI provider (GitHub, GitLab, CircleCI, etc.). Use the oidc-token module to fetch tokens from your CI provider.

Example: token = dag.oidc_token().github_token(request_token, request_url, audience) container = dag.gcp_auth().with_oidc_token(container, token, wif_provider)

Return Type

Container !

Arguments

Name	Type	Default Value	Description
container	Container !	-	Container to configure
oidcToken	Secret !	-	OIDC JWT token from any CI provider
workloadIdentityProvider	String !	-	GCP Workload Identity Federation provider
serviceAccountEmail	String	null	Service account to impersonate

Example

dagger -m github.com/telchak/daggerverse/gcp-auth@010621c997378db92da5969584001be575c5e5a7 call \
 with-oidc-token --container IMAGE:TAG --oidc-token env:MYSECRET --workload-identity-provider string

func (m *MyModule) Example(container *dagger.Container, oidcToken *dagger.Secret, workloadIdentityProvider string) *dagger.Container  {
	return dag.
			GcpAuth().
			WithOidcToken(container, oidcToken, workloadIdentityProvider)
}

@function
def example(container: dagger.Container, oidc_token: dagger.Secret, workload_identity_provider: str) -> dagger.Container:
	return (
		dag.gcp_auth()
		.with_oidc_token(container, oidc_token, workload_identity_provider)
	)

@func()
example(container: Container, oidcToken: Secret, workloadIdentityProvider: string): Container {
	return dag
		.gcpAuth()
		.withOidcToken(container, oidcToken, workloadIdentityProvider)
}