Skip to main content

Generate GCP access tokens from OIDC tokens

The GCP OIDC plugin generates a Google Cloud access token from your OIDC token and then stores the GCP token in the output variable GCLOUD_ACCESS_TOKEN. You can also configure the plugin to generate a credentials .json file and then use that file to authenticate and generate a token. You can use the variable or credentials file in subsequent pipeline steps to control Google Cloud Services through API (cURL) or the gcloud CLI.

For general information about using plugins in CI pipelines, go to Explore plugins and Use Drone plugins.

Add OIDC token stage variable

The GCP OIDC plugin requires an OIDC token, which it ingests from a stage variable.

Add a stage variable named PLUGIN_OIDC_TOKEN_ID and set the value to your OIDC token.

You can store your OIDC ID token in a Harness text secret and then use an expression to reference the secret in your stage variable, such as <+secrets.getValue("oidc_token_id")>.

Configure the GCP OIDC plugin

To use the GCP OIDC plugin, add a Plugin step to your CI pipeline. For example:

              - step:
type: Plugin
name: generate-token
identifier: generate-token
connectorRef: account.harnessImage
image: plugins/gcp-oidc
project_id: 12345678
pool_id: 12345678
provider_id: service-account1
duration: 7200
create_application_credentials_file: false

To use the GCP OIDC plugin, configure the Plugin step settings as follows:

KeysTypeDescriptionValue example
connectorRefStringSelect a Docker connector. Harness uses this connector to pull the plugin image.account.harnessImage
imageStringEnter plugins/gcp-oidc. You can specify an optional architecture tag. For a list of available tags, go to the GCP OIDC plugin README.plugins/gcp-oidc:linux-amd64
project_idStringYour GCP project ID.12345678
pool_idStringThe pool ID for OIDC authentication.12345678
provider_idStringThe provider ID for OIDC authentication.service-account1
service_account_email_idStringThe service account's email
durationStringThe generated access token's lifecycle duration in seconds.
The default is 3600.
The service account must have the iam.allowServiceAccountCredentialLifetimeExtension permission to set a custom duration.
create_application_credentials_fileBooleanSet to true to generate application_default_credentials.json file.
This file is an alternative way to generate the token by calling the credentials file.
The default is false.

You can use variable expressions for plugin settings. For example, registry_username: <+stage.variables.service_account> references a stage variable called SERVICE_ACCOUNT.

Use the GCP token

The GCP OIDC plugin outputs the GCP token to the variable GCLOUD_ACCESS_TOKEN. You can reference this output variable in subsequent pipeline steps to control Google Cloud Services through API (cURL) or the gcloud CLI.

To reference this variable, use an expression such as <+steps.STEP_ID.output.outputVariables.GCLOUD_ACCESS_TOKEN>. Replace STEP_ID with the ID of the GCP OIDC plugin step, such as <+steps.generate_gcp_token.output.outputVariables.GCLOUD_ACCESS_TOKEN>.

Here's a YAML example of a Plugin step generating a GCP token and a Run step using that token.

              - step:
type: Plugin
name: generate-token
identifier: generate_token
connectorRef: account.harnessImage
image: plugins/gcp-oidc
project_id: 12345678
pool_id: 12345678
provider_id: service-account1
duration: 7200
create_application_credentials_file: false
- step:
type: Run
name: list compute engine zone
identifier: list_zones
shell: Sh
command: |-
curl -H "Authorization: Bearer <+steps.generate_token.output.outputVariables.GCLOUD_ACCESS_TOKEN>" \

Get token from credentials file

If you set create_application_credentials_file to true, run the following commands to authenticate and get the access token using the credentials file:

gcloud auth login --brief --cred-file <+execution.steps.STEP_ID.output.outputVariables.GOOGLE_APPLICATION_CREDENTIALS>
gcloud config config-helper --format="json(credential)"

The first line authenticates and the second line generates the access token.