a month ago
Hi,
I’m trying to use Google Workload Identity Federation with Railway OIDC.
My service does not receive /app/railway-oidc-token and RAILWAY_OIDC_TOKEN is missing.
The UI shows no Service Identity / OIDC toggle.
Can you enable OIDC / Service Identity for this project or tell me what plan/setting is required?
3 Replies
20 days ago
Hello! Railway does not currently support OpenID Connect (OIDC) Federation. There is currently no plan or setting that will enable this feature. If this is something you would like to see, please submit a feature request.
frankeld
Hello! Railway does not currently support OpenID Connect (OIDC) Federation. There is currently no plan or setting that will enable this feature. If this is something you would like to see, please submit a feature request.
20 days ago
I've created a feature request: https://station.railway.com/feedback/add-support-for-oidc-federation-or-simil-f2d9c2e7
20 days ago
To add a workaround while OIDC is not supported: since Railway doesn't provide OIDC tokens for keyless auth, the standard fallback for Google Cloud access is using a Service Account JSON key stored as an environment variable.
In your Railway service, add an env var like:
GOOGLE_APPLICATION_CREDENTIALS_JSON=<paste your service account JSON here>
Then in your code, load it manually:
import json, os
from google.oauth2 import service_account
creds_info = json.loads(os.environ['GOOGLE_APPLICATION_CREDENTIALS_JSON'])
credentials = service_account.Credentials.from_service_account_info(creds_info)
This lets you authenticate to GCP without Workload Identity Federation. It's less ideal security-wise than OIDC (since it's a long-lived key), but it works fine on Railway today. Make sure the service account has only the minimum required permissions.