C.W.K.
Stream
More →
Lesson 05 of 13 · published

Cloud deploy — GCP & Azure

~11 min · gcp, azure, oidc

Level 0Apprentice
0 XP0/101 lessons0/10 achievements
0/120 XP to next level120 XP to go0% complete

같은 OIDC 패턴, 다른 IAM 이름

GCP — Workload Identity Federation

  1. Workload Identity Pool 생성.
  2. GitHub 용 OIDC provider 추가: issuer https://token.actions.githubusercontent.com.
  3. Service Account 생성; deploy 권한 부여.
  4. 아빠 repo 매칭하는 attribute 조건으로 SA 를 pool 에 바인딩.
  5. CI 에서: google-github-actions/auth action.

Azure — Service Principal 의 Federated credential

  1. App Registration / Service Principal 생성.
  2. Federated credentials 에서 subject repo:my-org/my-repo:ref:refs/heads/main 로 GitHub Actions 항목 추가.
  3. SP 에 role assignment 부여 (Contributor, AcrPush 등).
  4. CI 에서: client-id, tenant-id, subscription-id 와 함께 azure/login.

Deploy 타겟

  • GCP: Cloud Run, GKE, App Engine, Cloud Functions, Cloud Storage.
  • Azure: App Service, AKS, Container Apps, Functions, Static Web Apps.

Code

GCP Cloud Run deploy·yaml
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gha/providers/gha
          service_account: deploy@my-project.iam.gserviceaccount.com
      - uses: google-github-actions/setup-gcloud@v2
      - run: |
          gcloud run deploy my-service \
            --image gcr.io/my-project/my-service:${{ github.sha }} \
            --region us-central1 --platform managed
Azure Web App deploy·yaml
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - uses: azure/webapps-deploy@v3
        with:
          app-name: my-app
          package: ./dist

External links

Exercise

어느 cloud 든 최소 deploy job 하나로 OIDC end-to-end 설정. 첫 시도는 항상 실패 (trust policy 가 어려운 부분) — auth-action 에러 메시지 주의 깊게 읽어.

Progress

Progress is local-only — sign in to sync across devices.
← PreviousCloud deploy — AWSNext →SSH deploy
이 페이지에서 버그를 발견하셨거나 피드백이 있으세요?문제 신고

댓글 0

🔔 답글 알림 (로그인 필요)
로그인댓글을 남기려면 로그인해 주세요.

아직 댓글이 없어요. 첫 댓글을 남겨보세요.