google-github-actions / auth Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for authenticating to Google Cloud.
Home Page: https://cloud.google.com/iam
License: Apache License 2.0
A GitHub Action for authenticating to Google Cloud.
Home Page: https://cloud.google.com/iam
License: Apache License 2.0
Moving from deprecated service_account_key
in the google-github-actions/setup-gcloud
to the credentials_json
gives me the following error:
Error: google-github-actions/setup-gcloud failed with: Error parsing credentials: Unexpected end of JSON input
Ensure your credentials are base64 encoded or validate JSON format:
I have also tried to encode the JSON key to base64
but it does not change the behaviour
No response
No response
name: Test on GKE
on:
push: {}
env:
PROJECT_ID: my-project
GKE_ZONE: europe-west1-b
jobs:
create-e-cluster:
name: Create GKE cluster
runs-on: ubuntu-latest
outputs:
cluster_name: my-cluster
steps:
# Setup gcloud CLI
- id: 'auth'
uses: 'google-github-actions/[email protected]'
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- uses: google-github-actions/setup-gcloud@master
with:
project_id: ${{ env.PROJECT_ID }}
export_default_credentials: true
It's not the issue with the JSON key itself, as the same value for the service_account_key
in the google-github-actions/setup-gcloud
is working.
It feels like it is more a discussion than an issue but as there are not enable I open this issue.
This process is a great way to get access token, but google helpers (from docker credentials helpers, library helpers, ... ) will use GOOGLE_APPLICATION_CREDENTIALS or call gcloud to get an access token.
Is there a way to use this access token in a transparent way with those helpers? (like a GOOGLE_APPLICATION_ACCESS_TOKEN env variable)
Thank you
gcloud setup action failed after successful authentication with google-github-actions/auth@v0 action.
google-github-actions/setup-gcloud failed with: The process '/opt/hostedtoolcache/gcloud/371.0.0/x64/bin/gcloud' failed with exit code 1
Should be able to setup gcloud after auth action.
Setup gcloud action failed during installation.
name: test
on:
push:
paths:
- ".github/workflows/test.yaml"
jobs:
job_id:
# ...
runs-on: ubuntu-latest
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: 'actions/checkout@v2'
# Configure Workload Identity Federation via a credentials file.
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: "<redacted>"
service_account: "<redacted>"
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
# Now you can run gcloud commands authenticated as the impersonated service account.
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud secrets versions access "latest" --secret "my-secret"
Run google-github-actions/setup-gcloud@v0
with:
version: latest
export_default_credentials: false
cleanup_credentials: true
env:
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/gruffalo-mirror/gruffalo-mirror/754e55846bfbfab3698599f8
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/gruffalo-mirror/gruffalo-mirror/754e55846bfbfab3698599f8
GOOGLE_GHA_CREDS_PATH: /home/runner/work/gruffalo-mirror/gruffalo-mirror/754e55846bfbfab3698599f8
CLOUDSDK_PROJECT: <redacted>
CLOUDSDK_CORE_PROJECT: <redacted>
GCP_PROJECT: <redacted>
GCLOUD_PROJECT: <redacted>
GOOGLE_CLOUD_PROJECT: <redacted>
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/51f8b71f-b0f3-4043-9cfa-9f4fff5bee67 -f /home/runner/work/_temp/5d398a48-c1c2-46c6-8f78-78a9c1900bc5
Error: google-github-actions/setup-gcloud failed with: The process '/opt/hostedtoolcache/gcloud/371.0.0/x64/bin/gcloud' failed with exit code 1
I followed the Readme instructions to create Workload Identity Federation.
Getting 403 error when authenticating to GCP. Two weeks (10/19) ago same exact workflow passed successfully. We did not change anything with our GCP IAM user and anything in the workflow. We followed the readme in setting up and I verified that nothing has changed on that user.
Expected behavior
Successful authentication.
Observed behavior
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
Follow setup steps in readme and create a github action for Oauth2.0
Action YAML
steps:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/########/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
service_account: 'github-actions@#######.iam.gserviceaccount.com'
Additional information
No, we are in POC phase for deploying to GCP using GitHub actions and using this action is part of it.
I'm not sure if this is an issue with the auth
action or with the google terraform provider (or something else), so apologies if this is not the correct place.
When I use the auth
action to setup WIF authentication to google cloud so I can run terraform, I get this error immediately as terraform tries to initialize the backend (with state stored in Cloud Storage):
Initializing the backend...
Error: storage.NewClient() failed: dialing: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"
This should be reproducible with the given GitHub Actions YAML below and any terraform config that uses Cloud Storage as it's state backend.
A quick search turned up these issues that also dealt with WIF and experienced this unknown credential type: "external_account"
error:
Terraform is able to initialize module directory without error.
Terraform returns error when initializing module directory.
name: 'apply terraform configs'
on:
push:
paths:
- terraform/**
branches:
- main
pull_request:
paths:
- terraform/**
env:
GCP_PROJECT_ID: xxx
...snip...
TF_IN_AUTOMATION: 1
TF_REGISTRY_CLIENT_TIMEOUT: 60s
jobs:
terraform:
name: Terraform
runs-on: self-hosted # <-- Using https://github.com/actions-runner-controller/actions-runner-controller default image
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: actions/setup-node@v2
with:
node-version: '14'
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: 0.14.8
- uses: google-github-actions/auth@v0
with:
workload_identity_provider: 'projects/yyy/locations/global/workloadIdentityPools/pool-ci-cd/providers/github-actions'
service_account: '[email protected]'
...snip...
- name: Terraform Format
run: ...terraform fmt -check collected modules...
- name: Terraform Init # <-- Error happens here
run: ...terraform init collected modules...
...snip...
I have WIF setup with the following terraform config I've already applied locally (and this is the same terraform config that the workflow is trying to init):
terraform {
required_version = ">= 0.14"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.4.0"
}
}
backend "gcs" {
bucket = "xxx-terraform-state"
prefix = "envs/prod/iam"
}
}
provider "google" {
project = "xxx"
}
provider "google-beta" {
project = "xxx"
}
resource "google_iam_workload_identity_pool" "ci" {
provider = google-beta
workload_identity_pool_id = "pool-ci-cd"
display_name = "CI/CD"
description = "Identity pool for continuous integration service accounts."
disabled = false
}
resource "google_iam_workload_identity_pool_provider" "github_actions" {
provider = google-beta
workload_identity_pool_id = google_iam_workload_identity_pool.ci.workload_identity_pool_id
workload_identity_pool_provider_id = "github-actions"
display_name = "GitHub Actions"
description = "Provider used by GitHub Action workflows."
disabled = false
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.repository" = "assertion.repository"
}
oidc {
issuer_uri = "https://token.actions.githubusercontent.com"
}
}
resource "google_service_account" "terraform" {
account_id = "terraform"
display_name = "terraform"
description = "Used by terraform to apply changes"
}
resource "google_service_account_iam_member" "terraform_sa_workload_identity" {
service_account_id = google_service_account.terraform.name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.ci.name}/attribute.repository/xxx/yyy"
}
This issue builds off my comment here: google-github-actions/setup-gcloud#440 (comment)
Thanks!
I can't seem to get the latest version to work, although I set the permissions correctly. 🤔
Expected behavior
Action working fine.
Observed behavior
Errors out with: Error: Action failed with error: Error: $ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set
.
Action YAML
name: lint
on: [pull_request]
env:
TF_LOG: WARN
jobs:
tflint:
name: terraform
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
pull-requests: write
steps:
-
uses: actions/checkout@v2
-
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
token_format: access_token
access_token_lifetime: 900s
workload_identity_provider: projects/1049058775616/locations/global/workloadIdentityPools/main-pool/providers/github
service_account: [email protected]
create_credentials_file: true
activate_credentials_file: true
Use google's usual default path (google_credentials.json
) for generated application credentials, or alternatively allow us to specify the path of the credentials file that gets created.
This will help us avoid by default a significant vulnerability that it's easy to introduce by mistake: baking credentials into images for all to see.
Lets say I use this action to do a typical thing: build a container and push it to GCR:
name: build_container_and_push_to_gcr
on:
workflow_dispatch:
jobs:
docker:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Authenticate with GCP Workload Identity
id: auth
uses: google-github-actions/[email protected]
with:
create_credentials_file: true
workload_identity_provider: REDACTED
service_account: REDACTED
- name: Setup gcloud
uses: 'google-github-actions/setup-gcloud@v0'
- name: Configure Docker to push images to GCP
run: gcloud auth configure-docker
- name: Build
uses: docker/build-push-action@v2
with:
context: .
file: Dockerfile
tags: this-contains:the-account-credentials
- name: Other stuff
run: echo "Do testing stuff which might require the credentials file"
The auth
step creates a credentials file with a randomised name - like /home/runner/work/me/myrepo/4c33e43f60be11e1a7b5d5f4
.
The problem occurs when Dockerfile
contains the following extremely common line:
COPY . .
If you're like me, you'll have a .dockerignore
file will include something like:
# NEVER bake in environment variables or credentials
.env
.env*
google_credentials.json
But, because in this case the credentials file name cannot be known a priori, the .dockerignore
can't be configured not to copy it in.
--update-dockerignore
option, true by default, that creates or updates a .dockerignore file with the credentials file nameAs one possible workaround, I'd have to introduce a step something like
- name: Prevent secret from getting into container
# WARNING UNTESTED!!!
run: touch .dockerignore && echo ${${{ steps.auth.outputs.credentials_file_path }}##*/} >> .dockerignore
- name: Now its safe to build
#...
I also think it's a bit more intuitive for it to end up in google_credentials.json
, the location given in most of google's tutorials on application credentials.
Hi!
Great idea, and trying to implement this for a private GitHub repository.
However, the action always errors with: Error: $ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set
.
My workflow:
name: test
on: [pull_request]
env:
TERRAFORM_SA: terraform@xxx
jobs:
test:
name: terraform
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v2
-
uses: hashicorp/setup-terraform@v1
-
name: Terraform fmt
run: terraform fmt -check=true
-
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
token_format: access_token
access_token_lifetime: 900s
workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/main-pool/providers/xxx
service_account: ${{ env.TERRAFORM_SA }}
create_credentials_file: true
activate_credentials_file: true
-
name: Terraform Init
run: terraform init
-
name: Terraform Validate
run: terraform validate -no-color
-
name: Terraform Plan
run: terraform plan -no-color -lock=false -input=false
-
name: Cleanup
if: always()
run: rm "${GOOGLE_APPLICATION_CREDENTIALS}" || true
Hey sorry this is probably a dumb question but I've read through the readme, and I've copied pasted each setup step exactly without issue. However when I try and authenticate I get
Error: Action failed with error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
Am I supposed to set ACTIONS_ID_TOKEN_REQUEST_URL
as a Action Secret, if so where do I get this value on the GCP console?
I'm just trying a really basic example using:
- id: 'auth'
name: Login to Google Storage
uses: google-github-actions/[email protected]
with:
workload_identity_provider: 'my-provider'
service_account: ' [email protected]'
- name: Upload to Google Storage
uses: google-github-actions/[email protected]
with:
path: ${{steps.download.outputs.download-path}}/*
destination: my-bucket/release
Using a long branch name will result in an invalid subject line in the request, resulting in the following error:
google-github-actions/auth failed with: failed to generate Google Cloud federated token for projects/<project>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider: {"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
NOTE: I edited this to include a simpler log, action.yaml and use the latest version of the plugin.
Should be able to use any valid GitHub ref to trigger a WIF authentication.
WIF request fails and the job cannot proceed.
name: GitHub Bug Report
on: [push]
jobs:
deploy:
permissions:
contents: "read"
id-token: "write"
runs-on: ubuntu-20.04
steps:
- name: Check out repository
uses: actions/checkout@v2
with:
fetch-depth: 0
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/[email protected]"
with:
token_format: "access_token"
workload_identity_provider: "projects/<redacted>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider"
service_account: "<redacted>"
create_credentials_file: true
2022-02-02T17:54:18.2078222Z Waiting for a runner to pick up this job...
2022-02-02T17:54:18.7663541Z Job is waiting for a hosted runner to come online.
2022-02-02T17:54:21.5957954Z Job is about to start running on the hosted runner: GitHub Actions 5 (hosted)
2022-02-02T17:54:25.0873159Z Current runner version: '2.287.1'
2022-02-02T17:54:25.0900688Z ##[group]Operating System
2022-02-02T17:54:25.0901172Z Ubuntu
2022-02-02T17:54:25.0901445Z 20.04.3
2022-02-02T17:54:25.0901649Z LTS
2022-02-02T17:54:25.0901987Z ##[endgroup]
2022-02-02T17:54:25.0902248Z ##[group]Virtual Environment
2022-02-02T17:54:25.0902601Z Environment: ubuntu-20.04
2022-02-02T17:54:25.0902910Z Version: 20220123.1
2022-02-02T17:54:25.0903350Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220123.1/images/linux/Ubuntu2004-Readme.md
2022-02-02T17:54:25.0903995Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220123.1
2022-02-02T17:54:25.0904367Z ##[endgroup]
2022-02-02T17:54:25.0904702Z ##[group]Virtual Environment Provisioner
2022-02-02T17:54:25.0905032Z 1.0.0.0-main-20220128-1
2022-02-02T17:54:25.0905274Z ##[endgroup]
2022-02-02T17:54:25.0905851Z ##[group]GITHUB_TOKEN Permissions
2022-02-02T17:54:25.0906337Z Contents: read
2022-02-02T17:54:25.0906759Z Metadata: read
2022-02-02T17:54:25.0907050Z ##[endgroup]
2022-02-02T17:54:25.0910740Z Secret source: Actions
2022-02-02T17:54:25.0911161Z Prepare workflow directory
2022-02-02T17:54:25.1782465Z Prepare all required actions
2022-02-02T17:54:25.1970927Z Getting action download info
2022-02-02T17:54:25.4323218Z Download action repository 'actions/checkout@v2' (SHA:ec3a7ce113134d7a93b817d10a8272cb61118579)
2022-02-02T17:54:26.4517066Z Download action repository 'google-github-actions/[email protected]' (SHA:7a360a247cce1245c1d13bc63d8b2ac927d201c8)
2022-02-02T17:54:27.3492832Z ##[group]Run actions/checkout@v2
2022-02-02T17:54:27.3493132Z with:
2022-02-02T17:54:27.3493489Z fetch-depth: 0
2022-02-02T17:54:27.3493742Z repository: <redacted>
2022-02-02T17:54:27.3494292Z token: ***
2022-02-02T17:54:27.3494513Z ssh-strict: true
2022-02-02T17:54:27.3494800Z persist-credentials: true
2022-02-02T17:54:27.3495125Z clean: true
2022-02-02T17:54:27.3495324Z lfs: false
2022-02-02T17:54:27.3495569Z submodules: false
2022-02-02T17:54:27.3495797Z ##[endgroup]
2022-02-02T17:54:27.6004388Z Syncing repository: <redacted>
2022-02-02T17:54:27.6006214Z ##[group]Getting Git version info
2022-02-02T17:54:27.6006874Z Working directory is '/home/runner/work/<redacted>'
2022-02-02T17:54:27.6007493Z [command]/usr/bin/git version
2022-02-02T17:54:27.6098663Z git version 2.34.1
2022-02-02T17:54:27.6119945Z ##[endgroup]
2022-02-02T17:54:27.6127428Z Deleting the contents of '/home/runner/work/<redacted>'
2022-02-02T17:54:27.6133584Z ##[group]Initializing the repository
2022-02-02T17:54:27.6138821Z [command]/usr/bin/git init /home/runner/work/<redacted>
2022-02-02T17:54:27.6215448Z Initialized empty Git repository in /home/runner/work/<redacted>/.git/
2022-02-02T17:54:27.6227577Z [command]/usr/bin/git remote add origin https://github.com/<redacted>
2022-02-02T17:54:27.6268913Z ##[endgroup]
2022-02-02T17:54:27.6269790Z ##[group]Disabling automatic garbage collection
2022-02-02T17:54:27.6272699Z [command]/usr/bin/git config --local gc.auto 0
2022-02-02T17:54:27.6305351Z ##[endgroup]
2022-02-02T17:54:27.6324625Z ##[group]Setting up auth
2022-02-02T17:54:27.6326311Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-02-02T17:54:27.6351475Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-02-02T17:54:27.6701367Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-02-02T17:54:27.6763482Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-02-02T17:54:27.6984237Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2022-02-02T17:54:27.7029115Z ##[endgroup]
2022-02-02T17:54:27.7030556Z ##[group]Fetching the repository
2022-02-02T17:54:27.7038145Z [command]/usr/bin/git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*
2022-02-02T17:54:28.4684959Z remote: Enumerating objects: 4616, done.
2022-02-02T17:54:28.4685597Z remote: Counting objects: 0% (1/643)
<simplified>
2022-02-02T17:54:32.6721590Z Resolving deltas: 100% (3018/3018), done.
2022-02-02T17:54:32.6961896Z From https://github.com/<redacted>
2022-02-02T17:54:32.6965024Z * [new branch] oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard -> origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.6993315Z [command]/usr/bin/git branch --list --remote origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7021679Z origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7031406Z [command]/usr/bin/git rev-parse refs/remotes/origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7056803Z c3ffd0ff38303a6295ebd6e14d880fdea1d89dc3
2022-02-02T17:54:32.7062236Z ##[endgroup]
2022-02-02T17:54:32.7062870Z ##[group]Determining the checkout info
2022-02-02T17:54:32.7066351Z ##[endgroup]
2022-02-02T17:54:32.7067959Z ##[group]Checking out the ref
2022-02-02T17:54:32.7074346Z [command]/usr/bin/git checkout --progress --force -B oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard refs/remotes/origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7305267Z Switched to a new branch 'oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard'
2022-02-02T17:54:32.7306709Z Branch 'oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard' set up to track remote branch 'oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard' from 'origin'.
2022-02-02T17:54:32.7324554Z ##[endgroup]
2022-02-02T17:54:32.7352521Z [command]/usr/bin/git log -1 --format='%H'
2022-02-02T17:54:32.7380757Z 'c3ffd0ff38303a6295ebd6e14d880fdea1d89dc3'
2022-02-02T17:54:32.7581584Z ##[group]Run google-github-actions/[email protected]
2022-02-02T17:54:32.7581916Z with:
2022-02-02T17:54:32.7582104Z token_format: access_token
2022-02-02T17:54:32.7582485Z workload_identity_provider: projects/<redacted>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider
2022-02-02T17:54:32.7582941Z service_account: <redacted>
2022-02-02T17:54:32.7583257Z create_credentials_file: true
2022-02-02T17:54:32.7583466Z cleanup_credentials: true
2022-02-02T17:54:32.7583686Z access_token_lifetime: 3600s
2022-02-02T17:54:32.7583982Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-02-02T17:54:32.7584258Z id_token_include_email: false
2022-02-02T17:54:32.7584454Z ##[endgroup]
2022-02-02T17:54:34.6517813Z Created credentials file at "/home/runner/work/<redacted>"
2022-02-02T17:54:34.6518355Z
2022-02-02T17:54:34.6545833Z
2022-02-02T17:54:34.7859492Z ##[error]google-github-actions/auth failed with: failed to generate Google Cloud federated token for projects/<redacted>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider: {"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
2022-02-02T17:54:34.7929396Z Post job cleanup.
2022-02-02T17:54:34.8544512Z Removed exported credentials at "/home/runner/work/<redacted>".
2022-02-02T17:54:34.8635780Z Post job cleanup.
2022-02-02T17:54:34.9804895Z [command]/usr/bin/git version
2022-02-02T17:54:34.9847194Z git version 2.34.1
2022-02-02T17:54:34.9879976Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-02-02T17:54:34.9914118Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-02-02T17:54:35.0139163Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-02-02T17:54:35.0164965Z http.https://github.com/.extraheader
2022-02-02T17:54:35.0175788Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2022-02-02T17:54:35.0208839Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-02-02T17:54:35.0592499Z Cleaning up orphan processes
I can upgrade to v0.5.0
and try again, but the changelog did not appear to have anything that would adjust this behavior. Please let me know if you'd like me to do that and report back.
Testing new issue templates
No response
No response
thing: foo
bar: banana
No response
Getting 403s trying to experiment with OIDC-based workload identities
Action runs successfully, prints list of images, all is merry.
I get a 403 executing this action:
Error: google-github-actions/auth failed with: Error: Failed to generate Google Cloud access token for [email protected]: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I created a gist here: https://gist.github.com/mattmoor/04a46b31024322b4a95e49cd15a18ccd
The script creates everything and is based on this (thanks to Justin Beckwith): https://github.com/GoogleCloudPlatform/nodejs-docs-samples/blob/main/buildsetup.sh
The other half is the yaml you seek.
There was already some back-and-forth with @sethvargo on twitter here: https://twitter.com/sethvargo/status/1468785218777665539
Even though there is only crdentials i am using for workflow. I am getting following error
The GitHub Action workflow must specify exactly one of "workload_identity_provider" or "credentials_json"!
The workflow should work as per my understanding
No response
name: Build and Deploy to Cloud Run
# Defining Triggers.
# In our case : any push to the dev_omipar branch
on:
push:
branches:
- dev_omipar
# Defining ENV vars internal to the flow
env:
PROJECT_ID: datalake-298101
REGION: us-central1
DEPLOYMENT_NAME: omipar-dev
IMAGE: omipar-dev
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [12.x]
steps:
# Checking out code from github repo
- name: Checkout
uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: npm install and test
run: |
npm install
npm test > coverage.txt
env:
CI: true
- uses: papeloto/action-zip@v1
with:
files: coverage/ index.json
dest: result.zip
# Setup gcloud SDK access to cloud resources by refering to github Secrets store
- uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.gcp_credentials }}
project_id: ${{ env.PROJECT_ID }}
# Configure Docker to use the gcloud command-line tool as a helper for authentication
- run: |-
gcloud --quiet auth configure-docker
# upload
- name: 'Upload assets to GCP bucket, CDN'
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.gcp_credentials }}
- uses: google-github-actions/[email protected]
with:
path: coverage
destination: omipar-release-test-case-reports
# Build the Docker image
- name: Build
run: |-
sudo docker build --tag "gcr.io/$PROJECT_ID/$IMAGE:latest" .
# Push the updated build into the GCR registry
- uses: mattes/gce-docker-push-action@v1
with:
creds: ${{ secrets.gcp_credentials }}
src: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE}}:latest
dst: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE}}:latest
# - name: Send mail
# uses: dawidd6/action-send-mail@v3
# with:
# # Required mail server address:
# server_address: smtp.gmail.com
# # Required mail server port:
# server_port: 465
# # Optional (recommended): mail server username:
# username: ${{secrets.USERNAME}}
# # Optional (recommended) mail server password:
# password: ${{secrets.PASSWORD}}
# # Required mail subject:
# subject: Github Actions job result
# # Required recipients' addresses:
# to: [email protected]
# # Required sender full name (address can be skipped):
# from: Mihir Mehta # <[email protected]>
# # Optional whether this connection use TLS (default is true if server_port is 465)
# secure: true
# # Optional plain body:
# body: Build job of ${{github.repository}} completed successfully!
# # Optional HTML body read from file:
# # html_body: file://result.zip
# attachments: result.zip
# # Optional unsigned/invalid certificates allowance:
# ignore_cert: true
# # Optional converting Markdown to HTML (set content_type to text/html too):
# convert_markdown: true
- name: Send email through SendGrid
uses: peter-evans/sendgrid-action@v1
env:
SENDGRID_API_KEY: ${{ secrets.SENDGRID_API_KEY }}
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
service: ${{env.DEPLOYMENT_NAME}}
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE}}:latest
project_id: ${{ env.PROJECT_ID }}
region: ${{env.REGION}}
credentials: ${{ secrets.gcp_credentials }}
flags: --service-account [email protected] --memory 2Gi
No response
Not sure if it is already possible or not. But I'd like to use this to work with pushing to an artifact registry private npm repo usiing the credential help approach.
After successfully authentication to Google Cloud I try to use the credential helper approach to be able to connect to an artifact registry private npm repo using the credential helper (https://cloud.google.com/artifact-registry/docs/nodejs/authentication#auth-helper) via the command npx google-artifactregistry-auth
which should be able to work with application default credentials but it fails with the error:
npx: installed 47 in 3.842s
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run:
`gcloud auth application-default login`, `gcloud auth login`, or
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
at Object.getCreds (/home/runner/.npm/_npx/1612/lib/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
Is it possible to do this if I also set GOOGLE_APPLICATION_CREDENTIALS to some path? Perhaps the credentials_file_path
output of auth?
No response
I want to be able to use gsutil within github action using Workload Identity Federation for authentication.
The readme says how to configure gcloud using Workload Identity Federation. However it specifically outline that this method won't work for gsutil and doesn't provide alternative. The google-github-actions/upload-cloud-storage action can be used as a replacement but its functionality is limited compared to gsutil.
ref.: https://github.com/google-github-actions/auth#configuring-gcloud
No response
Emit a message when credentials are exported, ideally with the exported path. This can help debugging.
No response
No response
How do I use this to obtain a credential that allows normal use of gsutil
in subsequent steps?
An example would be appreciated.
README > Examples > Cloud SDK (gcloud) @v0.3.1 fails if working-directory
is modified:
Workaround:
defaults:
run:
working-directory: somewhere
# ...
jobs:
job_id:
steps:
# ...
- run: gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
working-directory: . # Add this line. Use the default working-directory
I'm wondering why this happens even the steps.auth.outputs.credentials_file_path
returns an absolute path... 🤔
Expected behavior
This is not a bug of this repository. Worth mention in README?
Observed behavior
Action YAML
defaults:
run:
working-directory: somewhere
jobs:
job_id:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: 'google-github-actions/setup-gcloud@master'
with:
project_id: my-project-id
- uses: google-github-actions/[email protected]
id: auth
with:
create_credentials_file: 'true'
workload_identity_provider: projects/1234567890/locations/global/workloadIdentityPools/pool-id/providers/provider-id
service_account: [email protected]
- run: gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
Repository
Additional information
I think this is not a bug. I'm just writing this issue to save someone's time in the future.
Based on the documentation's example, if I create a Workload Identity Pool Provider using:
gcloud iam workload-identity-pools providers create-oidc "my-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="my-pool" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.git_branch=assertion.ref,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
What would be the value of <cond> in the following expression to validate that the request was triggered from the Github repository's master branch (contained in the token's "ref" attribute)?
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/username/repo"
--condition="expression=<cond>"
npm ci
and npm build
and check a git diff as part of CIWhen using version 0.3.1 and performing gcloud authentication, the following error is thrown:
ERROR: gcloud crashed (OAuthError): ('Error code invalid_grant: The audience in JWT does not match the expected values.', '{"error":"invalid_grant","error_description":"The audience in JWT does not match the expected values."}')
Expected behavior
gcloud should authenticate without errors
Observed behavior
Using the same exact GitHub action but with version 0.3.0 no errors are thrown.
Action YAML
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: 'true'
workload_identity_provider: 'projects/1234/locations/global/workloadIdentityPools/aaa/providers/bbb'
service_account: '[email protected]'
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
export GOOGLE_APPLICATION_CREDENTIALS="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth configure-docker -q
gcloud auth list
Repository
Private repo
Getting an error when trying to update from 0.3.1 to 0.4.2. I tried adding a token_format: access_token
to the action inputs but the file is not created.
Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/java-trace/java-trace/ba071349bd11a1aa46511d5c': File does not exist.
https://github.com/googleapis/java-trace/runs/4476013621?check_suite_focus=true
The file is created at the file path set in GOOGLE_APPLICATION_CREDENTIALS
No file exists at the path set in GOOGLE_APPLICATION_CREDENTIALS
name: integration
on:
push:
branches:
- main
pull_request:
pull_request_target:
types: [labeled]
jobs:
test:
if: ${{ github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' }}
runs-on: ubuntu-latest
permissions:
contents: 'write'
pull-requests: 'write'
id-token: 'write'
steps:
- uses: 'google-github-actions/[email protected]'
with:
workload_identity_provider: 'projects/1016721519174/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
service_account: '[email protected]'
create_credentials_file: 'true'
access_token_lifetime: 300s
token_format: 'access_token'
- uses: actions/checkout@v2
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
- uses: actions/setup-java@v2
with:
distribution: zulu
java-version: 8
- run: java -version
- run: .kokoro/build.sh
env:
JOB_TYPE: integration
GOOGLE_CLOUD_PROJECT: gcloud-devel
- if: ${{ github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' }}
uses: actions/github-script@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
try {
await github.rest.issues.removeLabel({
name: 'actions:force-run',
owner: 'googleapis',
repo: 'java-trace',
issue_number: context.payload.pull_request.number
});
} catch (e) {
if (!e.message.includes('Label does not exist')) {
throw e;
}
}
- if: ${{ github.event_name == 'schedule'}}
run: |
curl https://github.com/googleapis/repo-automation-bots/releases/download/flakybot-1.1.0/flakybot -o flakybot -s -L
chmod +x ./flakybot
./flakybot --repo googleapis/java-trace --commit_hash ${{github.sha}} --build_url https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}
No response
Auth is not working. Invalid value for "audience"
Working example code
ERROR: gcloud crashed (OAuthError): ('Error code invalid_request: Invalid value for "audience". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats.', '{"error":"invalid_request","error_description":"Invalid value for \\"audience\\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}')
name: GCP OIDC
on:
push:
jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
environment:
name: dev-cluster
permissions:
contents: 'read'
id-token: 'write'
steps:
# Install gcloud, do not specify authentication.
- uses: 'google-github-actions/setup-gcloud@master'
with:
project_id: ${{ secrets.GCP_PROJECT }}
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: true
#token_format: access_token
workload_identity_provider: ${{ secrets.GCP_OIDC_ID_PROVIDER }}
service_account: ${{ secrets.GCP_OIDC_SA}}
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
# Now you can run gcloud commands authenticated as the impersonated service account.
gcloud secrets versions access "latest" --secret "TEST_SECRET"
2021-11-25T14:53:24.4249793Z Found online and idle hosted runner in the current repository's enterprise account that matches the required labels: 'ubuntu-latest'
2021-11-25T14:53:24.4921602Z Waiting for a Hosted runner in the 'enterprise' to pick this job...
2021-11-25T14:53:24.6012107Z Job is waiting for a hosted runner to come online.
2021-11-25T14:53:28.2866434Z Job is about to start running on the hosted runner: GitHub Actions 17 (hosted)
2021-11-25T14:53:32.2336114Z Current runner version: '2.284.0'
2021-11-25T14:53:32.2369044Z ##[group]Operating System
2021-11-25T14:53:32.2370224Z Ubuntu
2021-11-25T14:53:32.2370802Z 20.04.3
2021-11-25T14:53:32.2371363Z LTS
2021-11-25T14:53:32.2371994Z ##[endgroup]
2021-11-25T14:53:32.2372679Z ##[group]Virtual Environment
2021-11-25T14:53:32.2373595Z Environment: ubuntu-20.04
2021-11-25T14:53:32.2374260Z Version: 20211122.1
2021-11-25T14:53:32.2375711Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20211122.1/images/linux/Ubuntu2004-README.md
2021-11-25T14:53:32.2377431Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20211122.1
2021-11-25T14:53:32.2378480Z ##[endgroup]
2021-11-25T14:53:32.2379264Z ##[group]Virtual Environment Provisioner
2021-11-25T14:53:32.2380103Z 1.0.0.0-master-20211123-1
2021-11-25T14:53:32.2380791Z ##[endgroup]
2021-11-25T14:53:32.2382371Z ##[group]GITHUB_TOKEN Permissions
2021-11-25T14:53:32.2383860Z Contents: read
2021-11-25T14:53:32.2384546Z Metadata: read
2021-11-25T14:53:32.2385325Z ##[endgroup]
2021-11-25T14:53:32.2388989Z Prepare workflow directory
2021-11-25T14:53:32.3062100Z Prepare all required actions
2021-11-25T14:53:32.3073335Z Getting action download info
2021-11-25T14:53:32.5454727Z Download action repository 'google-github-actions/setup-gcloud@master' (SHA:b8f95eb7d716bf9a715eafd169162b93f69ed520)
2021-11-25T14:53:34.4862198Z Download action repository 'google-github-actions/[email protected]' (SHA:a61909d048e0be579b6c15b27088d19668493851)
2021-11-25T14:53:34.9136477Z ##[group]Run google-github-actions/setup-gcloud@master
2021-11-25T14:53:34.9137476Z with:
2021-11-25T14:53:34.9138247Z project_id: ***
2021-11-25T14:53:34.9138812Z version: latest
2021-11-25T14:53:34.9139499Z export_default_credentials: false
2021-11-25T14:53:34.9140166Z ##[endgroup]
2021-11-25T14:53:35.9236231Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/ee0bbbc1-8045-4cfb-9e13-77d6069c0a60 -f /home/runner/work/_temp/a40071b6-8738-42d3-ae17-e62ad83ea1ee
2021-11-25T14:53:47.1378275Z Successfully set default project
2021-11-25T14:53:47.1383366Z No credentials provided, skipping authentication
2021-11-25T14:53:47.1638461Z ##[group]Run google-github-actions/[email protected]
2021-11-25T14:53:47.1639147Z with:
2021-11-25T14:53:47.1639665Z create_credentials_file: true
2021-11-25T14:53:47.1641576Z workload_identity_provider: ***
2021-11-25T14:53:47.1642723Z service_account: ***
2021-11-25T14:53:47.1643268Z access_token_lifetime: 3600s
2021-11-25T14:53:47.1644151Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2021-11-25T14:53:47.1645046Z id_token_include_email: false
2021-11-25T14:53:47.1645523Z env:
2021-11-25T14:53:47.1646281Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-11-25T14:53:47.1647064Z ##[endgroup]
2021-11-25T14:53:47.3012596Z
2021-11-25T14:53:47.3054061Z
2021-11-25T14:53:47.3190530Z ##[group]Run gcloud auth login --brief --cred-file="/home/runner/work/_temp/7967505e41544b16b108c538"
2021-11-25T14:53:47.3191684Z �[36;1mgcloud auth login --brief --cred-file="/home/runner/work/_temp/7967505e41544b16b108c538"�[0m
2021-11-25T14:53:47.3192366Z �[36;1m�[0m
2021-11-25T14:53:47.3193135Z �[36;1m# Now you can run gcloud commands authenticated as the impersonated service account.�[0m
2021-11-25T14:53:47.3194147Z �[36;1mgcloud secrets versions access "latest" --secret "TEST_SECRET"�[0m
2021-11-25T14:53:47.3244473Z shell: /usr/bin/bash -e {0}
2021-11-25T14:53:47.3244976Z env:
2021-11-25T14:53:47.3245758Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-11-25T14:53:47.3246860Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/7967505e41544b16b108c538
2021-11-25T14:53:47.3247842Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/7967505e41544b16b108c538
2021-11-25T14:53:47.3248745Z CLOUDSDK_PROJECT: ***
2021-11-25T14:53:47.3249388Z CLOUDSDK_CORE_PROJECT: ***
2021-11-25T14:53:47.3249974Z GCP_PROJECT: ***
2021-11-25T14:53:47.3250522Z GCLOUD_PROJECT: ***
2021-11-25T14:53:47.3251326Z GOOGLE_CLOUD_PROJECT: ***
2021-11-25T14:53:47.3251815Z ##[endgroup]
2021-11-25T14:53:48.1078158Z ERROR: gcloud crashed (OAuthError): ('Error code invalid_request: Invalid value for "audience". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats.', '{"error":"invalid_request","error_description":"Invalid value for \\"audience\\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}')
2021-11-25T14:53:48.1082725Z
2021-11-25T14:53:48.1083439Z If you would like to report this issue, please run the following command:
2021-11-25T14:53:48.1086686Z gcloud feedback
2021-11-25T14:53:48.1089104Z
2021-11-25T14:53:48.1089997Z To check gcloud for common problems, please run the following command:
2021-11-25T14:53:48.1093474Z gcloud info --run-diagnostics
2021-11-25T14:53:48.2073244Z ##[error]Process completed with exit code 1.
2021-11-25T14:53:48.2107427Z Cleaning up orphan processes
No response
Hi! Wondering how to use this with terraform (-gcs).
My workflow errors out with:
Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/xxx-terraform-state/o?alt=json&delimiter=%2F&pageToken=&prefix=terraform%2Fstate%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
Workflow:
jobs:
test:
permissions:
contents: read
id-token: 'write'
name: terraform
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v2
-
uses: hashicorp/setup-terraform@v1
-
name: Terraform fmt
run: terraform fmt -check=true
-
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
access_token_lifetime: 900s
workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/main-pool/providers/github
service_account: [email protected]
create_credentials_file: true
activate_credentials_file: true
-
name: Terraform Init
run: terraform init
During the beta, the aud
parameter in the GitHub token had to be hardcoded to "sigstore"
. GitHub is rolling out customizable audiences.
We should update the default value for the aud
parameter to the Workload Identity Provider ID (full name). It currently defaults to "sigstore"
in the code. We also need to update the instructions to remove the custom audience parameter.
When trying to use gcloud alpha storage to download from a bucket after running auth with Workload Identity Federation and setup-gcloud I get an authentication error. When running the same command locally with key authentication I do not get the error.
gcloud downloads the file from my bucket
Authentication error
name: Docker Build
on:
push:
branches: [ main, dev/main ]
pull_request:
branches: [ main, dev/main ]
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
GAR_LOCATION: us-central1
REPOSITORY: aemotrics
IMAGE: aemotrics_predict
jobs:
docker-build:
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}
service_account: ${{ secrets.GCP_SA }}
- name: Set up Cloud SDK
uses: 'google-github-actions/setup-gcloud@v0'
- name: install deps
run: sudo python3 -m pip install google-crc32c --target /opt/hostedtoolcache/gcloud/370.0.0/x64/lib/third_party && sudo python3 -m pip install build && gcloud --quiet auth list
- name: Get Model
run: gcloud --quiet alpha storage cp gs://aemotrics_models/Aemotrics_V3-Nate-2021-12-20_pruned.tar.gz ./microservice
- name: Build Aemotrics Wheel
run: python3 -m build -w && mkdir microservice/wheel && cp dist/* microservice/wheel/
- name: Build the Docker image
run: docker build microservice --tag "$IMAGE:$GITHUB_SHA"
- name: Publish
run: |-
docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"
There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
when running the same command on my local machine from the same service account with key authentication I do not get the error.
When Dependabot triggers a workflow that has the auth
action, it receives the following error and fails:
Error: Action failed with error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
When an authenticated user re-runs the workflow, the auth action is successful.
permissions in the workflow:
permissions:
contents: 'read'
id-token: 'write'
Auth action should be able to find the env var and succeed
Auth action is failing.
# Configure Authenticate to Google Cloud using OIDC and generate an access token.
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: true
activate_credentials_file: true
workload_identity_provider: redacted
service_account: redacted
NOTE: I am aware this is likely a problem with Dependabot that requires a change on their end to resolve the issue, or is a permissions issue that I need to fix in the auth yaml. I would greatly appreciate any help in pointing me in the right direction to resolving this, even though I am fairly certain this isn't a bug in the auth action. Thank you in advance for any help in resolving this.
My goal is to be able to authenticate from a shared workflow repository so that any reusable workflow hosted in a particular repository is allowed to authenticate. It currently fails when the principalSet is set to:
iam.googleapis.com/projects/xxxxxxxx/locations/global/workloadIdentityPools/<POOL>/attribute.job_workflow_ref/<GITHUB_ORG>/<GITHUB_REPO>
Authenticate when called by any reusable workflow within shared workflow repository.
ERROR: (gcloud.services.list) There was a problem refreshing your current auth tokens:
('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
')
name: List services in GCP
on:
workflow_call:
permissions:
id-token: write
jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
steps:
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: 'true'
workload_identity_provider: <REMOVED>
service_account: '<REMOVED>'
- id: 'gcloud'
name: 'gcloud'
run: |-
cat ${{ steps.auth.outputs.credentials_file_path }}
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud services list --project <Google_PROJECT>
## Set up job
2022-01-22T21:49:41.8074216Z Current runner version: '2.286.1'
2022-01-22T21:49:41.8102347Z ##[group]Operating System
2022-01-22T21:49:41.8102924Z Ubuntu
2022-01-22T21:49:41.8103144Z 20.04.3
2022-01-22T21:49:41.8103400Z LTS
2022-01-22T21:49:41.8103612Z ##[endgroup]
2022-01-22T21:49:41.8103900Z ##[group]Virtual Environment
2022-01-22T21:49:41.8104232Z Environment: ubuntu-20.04
2022-01-22T21:49:41.8104527Z Version: 20220111.1
2022-01-22T21:49:41.8104938Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220111.1/images/linux/Ubuntu2004-Readme.md
2022-01-22T21:49:41.8105502Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220111.1
2022-01-22T21:49:41.8105897Z ##[endgroup]
2022-01-22T21:49:41.8106202Z ##[group]Virtual Environment Provisioner
2022-01-22T21:49:41.8106973Z 1.0.0.0-main-20211214-1
2022-01-22T21:49:41.8107258Z ##[endgroup]
2022-01-22T21:49:41.8107817Z ##[group]GITHUB_TOKEN Permissions
2022-01-22T21:49:41.8108380Z Metadata: read
2022-01-22T21:49:41.8112622Z Secret source: Actions
2022-01-22T21:49:41.8113149Z Prepare workflow directory
2022-01-22T21:49:41.9111972Z Prepare all required actions
2022-01-22T21:49:41.9334113Z Getting action download info
2022-01-22T21:49:42.4022216Z Download action repository 'google-github-actions/[email protected]' (SHA:c6c22902f6af237edb96ede5f25a00e864589b2f)
## Authenticate to GCP
2022-01-22T21:49:42.9917432Z ##[group]Run google-github-actions/[email protected]
2022-01-22T21:49:42.9918158Z with:
2022-01-22T21:49:42.9918499Z create_credentials_file: true
2022-01-22T21:49:42.9919176Z workload_identity_provider: <REDACTED>
2022-01-22T21:49:42.9920142Z service_account: <REDACTED>
2022-01-22T21:49:42.9920660Z cleanup_credentials: true
2022-01-22T21:49:42.9921013Z access_token_lifetime: 3600s
2022-01-22T21:49:42.9921464Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-01-22T21:49:42.9922237Z id_token_include_email: false
2022-01-22T21:49:42.9922608Z ##[endgroup]
2022-01-22T21:49:43.2962882Z Created credentials file at "/home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8"
2022-01-22T21:49:43.2964133Z
2022-01-22T21:49:43.2994907Z
## GCloud
2022-01-22T21:49:43.3248303Z ##[group]Run cat /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3248948Z cat /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3249466Z gcloud auth login --brief --cred-file="/home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8"
2022-01-22T21:49:43.3249902Z gcloud services list --project <REDACTED>
2022-01-22T21:49:43.3300934Z shell: /usr/bin/bash -e {0}
2022-01-22T21:49:43.3301480Z env:
2022-01-22T21:49:43.3301835Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3302497Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3303065Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3303488Z CLOUDSDK_PROJECT: <REDACTED>
2022-01-22T21:49:43.3303780Z CLOUDSDK_CORE_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304030Z GCP_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304351Z GCLOUD_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304632Z GOOGLE_CLOUD_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304890Z ##[endgroup]
2022-01-22T21:49:49.4272933Z ERROR: (gcloud.services.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
2022-01-22T21:49:49.4276954Z Please run:
2022-01-22T21:49:49.4277468Z
2022-01-22T21:49:49.4277686Z $ gcloud auth login
2022-01-22T21:49:49.4277847Z
2022-01-22T21:49:49.4278113Z to obtain new credentials.
2022-01-22T21:49:49.4278283Z
2022-01-22T21:49:49.4278522Z If you have already logged in with a different account:
2022-01-22T21:49:49.4278738Z
2022-01-22T21:49:49.4279219Z $ gcloud config set account ACCOUNT
2022-01-22T21:49:49.4279393Z
2022-01-22T21:49:49.4279620Z to select an already authenticated account to use.
2022-01-22T21:49:49.5226463Z {"type":"external_account","audience":"//iam.googleapis.com/projects/<REDACTED>/locations/global/workloadIdentityPools/github-pool/providers/github-provider","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<REDACTED>-automation@<REDACTED>.iam.gserviceaccount.com:generateAccessToken","credential_source":{"url":"<REDACTED>","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}}}
2022-01-22T21:49:49.5240948Z ##[error]Process completed with exit code 1.
No response
Right now we emit:
Error: google-github-actions/auth failed with: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
We should catch the failure and emit something similar to what we do via secrets today, to hint to the user to set the permissions
block. We also need to scrub the Error:
prefixes from that message if possible.
No response
No response
N/A
No response
I'd like to put the credential automatically generated by this action into a different directory from GITHUB_WORKSPACE
.
steps:
- name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
project_id: ${{ inputs.google-cloud-project }}
service_account: ${{ inputs.google-cloud-service-account }}
workload_identity_provider: ${{ inputs.google-cloud-workload-identity-provider }}
working_directory: ${{ env.home }} <-- Possible new parameter to change working directory of the action.
Although the credentials are short-lived, placing them in GITHUB_WORKSPACE
creates some additional opportunities to accidentally expose the credential for a period of time.
I managed to do this accidentally a few days ago. Here's what happened:
zip
command. Due to a typo in the zip
command, it compressed the entire GITHUB_WORKSPACE
directory instead of just the output files I wanted it to collect.Placing the secrets in a different directory, like HOME
would have avoided this issue. GitHub Actions steps use a default working directory of GITHUB_WORKSPACE
, so including the secret in that path makes it more likely that downstream steps will accidentally leak it.
I don't have specific requirements on the exact implementation. An optional parameter for the working directory would been reasonable option. This would keep backwards compatibility with existing users, while granting flexibility for where the secret is written.
gsutil is not authenticated when using auth action
Not fair to call this a bug, I suspect user error is involved somewhere, but Seth Vargo suggested I post this question here (see tweet)
If someone can explain how to accomplish this I'd be very grateful.
using google-github-actions/auth would provide authentication for gsutil
gcloud is authenticated but gsutil is not.
The provided action yaml contains 2 jobs. Both of them run a gcloud command and a gsutil command. One of them authenticates using the old mechanism using google-github-actions/setup-gcloud, the other authenticates using google-github-actions/auth.
The one that authenticates using google-github-actions/setup-gcloud works
The one that authenticates using google-github-actions/auth fails on the gsutil command with error
Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket
name: demo-auth-issue
on:
push:
workflow_dispatch:
jobs:
auth-using-auth:
runs-on: ubuntu-latest
steps:
- id: auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.SA_JSON_KEY }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v0
- name: Install gcloud alpha
shell: bash
run: |
gcloud components install alpha --quiet
- name: 'Use gcloud CLI'
run: gcloud alpha storage ls gs://dev-dp-braze-payloads
- name: run gsutil
shell: bash
run: |
gsutil du -sh gs://dev-dp-braze-payloads
auth-using-setup-gcloud:
runs-on: ubuntu-latest
steps:
- id: auth
uses: google-github-actions/setup-gcloud@v0
with:
service_account_key: ${{ secrets.SA_JSON_KEY }}
- name: Install gcloud alpha
shell: bash
run: |
gcloud components install alpha --quiet
- name: 'Use gcloud CLI'
run: gcloud alpha storage ls gs://dev-dp-braze-payloads
- name: run gsutil
shell: bash
run: |
gsutil du -sh gs://dev-dp-braze-payloads
2022-02-03T14:05:04.4964520Z Waiting for a runner to pick up this job...
2022-02-03T14:05:05.2490074Z Job is waiting for a hosted runner to come online.
2022-02-03T14:05:11.4659947Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2022-02-03T14:05:14.9432200Z Current runner version: '2.287.1'
2022-02-03T14:05:14.9468079Z ##[group]Operating System
2022-02-03T14:05:14.9468980Z Ubuntu
2022-02-03T14:05:14.9469621Z 20.04.3
2022-02-03T14:05:14.9470116Z LTS
2022-02-03T14:05:14.9470647Z ##[endgroup]
2022-02-03T14:05:14.9471822Z ##[group]Virtual Environment
2022-02-03T14:05:14.9472517Z Environment: ubuntu-20.04
2022-02-03T14:05:14.9473223Z Version: 20220131.1
2022-02-03T14:05:14.9474041Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220131.1/images/linux/Ubuntu2004-Readme.md
2022-02-03T14:05:14.9475054Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220131.1
2022-02-03T14:05:14.9475858Z ##[endgroup]
2022-02-03T14:05:14.9476452Z ##[group]Virtual Environment Provisioner
2022-02-03T14:05:14.9477088Z 1.0.0.0-main-20220128-1
2022-02-03T14:05:14.9477749Z ##[endgroup]
2022-02-03T14:05:14.9479639Z ##[group]GITHUB_TOKEN Permissions
2022-02-03T14:05:14.9480779Z Actions: write
2022-02-03T14:05:14.9481602Z Checks: write
2022-02-03T14:05:14.9482270Z Contents: write
2022-02-03T14:05:14.9482839Z Deployments: write
2022-02-03T14:05:14.9483398Z Discussions: write
2022-02-03T14:05:14.9484094Z Issues: write
2022-02-03T14:05:14.9484640Z Metadata: read
2022-02-03T14:05:14.9485215Z Packages: write
2022-02-03T14:05:14.9485769Z Pages: write
2022-02-03T14:05:14.9486336Z PullRequests: write
2022-02-03T14:05:14.9486997Z RepositoryProjects: write
2022-02-03T14:05:14.9487702Z SecurityEvents: write
2022-02-03T14:05:14.9488255Z Statuses: write
2022-02-03T14:05:14.9488964Z ##[endgroup]
2022-02-03T14:05:14.9493961Z Secret source: Actions
2022-02-03T14:05:14.9494739Z Prepare workflow directory
2022-02-03T14:05:15.0633087Z Prepare all required actions
2022-02-03T14:05:15.0890430Z Getting action download info
2022-02-03T14:05:15.3135922Z Download action repository 'google-github-actions/[email protected]' (SHA:a61909d048e0be579b6c15b27088d19668493851)
2022-02-03T14:05:15.6628847Z Download action repository 'google-github-actions/setup-gcloud@v0' (SHA:e0f83f24f541c30f1e9fe3c966963a10b8e647f5)
2022-02-03T14:05:16.1005374Z ##[group]Run google-github-actions/[email protected]
2022-02-03T14:05:16.1006150Z with:
2022-02-03T14:05:16.1014569Z credentials_json: ***
2022-02-03T14:05:16.1015245Z create_credentials_file: true
2022-02-03T14:05:16.1015907Z access_token_lifetime: 3600s
2022-02-03T14:05:16.1016667Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-02-03T14:05:16.1017393Z id_token_include_email: false
2022-02-03T14:05:16.1017962Z ##[endgroup]
2022-02-03T14:05:16.3316185Z
2022-02-03T14:05:16.3390601Z
2022-02-03T14:05:16.3581713Z ##[group]Run google-github-actions/setup-gcloud@v0
2022-02-03T14:05:16.3582410Z with:
2022-02-03T14:05:16.3582832Z version: latest
2022-02-03T14:05:16.3583325Z export_default_credentials: false
2022-02-03T14:05:16.3583863Z cleanup_credentials: true
2022-02-03T14:05:16.3584334Z env:
2022-02-03T14:05:16.3584928Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:16.3585702Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:16.3586409Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3587083Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3587742Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3588391Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3589048Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3589625Z ##[endgroup]
2022-02-03T14:05:17.8140059Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/af936b24-50c8-4b0b-8703-126bd1db6dec -f /home/runner/work/_temp/30c3fc13-a60c-4add-81f0-d00f3b894f80
2022-02-03T14:05:28.9180485Z No credentials detected, skipping authentication
2022-02-03T14:05:28.9404651Z ##[group]Run gcloud components install alpha --quiet
2022-02-03T14:05:28.9405309Z �[36;1mgcloud components install alpha --quiet�[0m
2022-02-03T14:05:28.9480074Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail ***0***
2022-02-03T14:05:28.9480580Z env:
2022-02-03T14:05:28.9481060Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:28.9481687Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:28.9482385Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9482890Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9483526Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9484144Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9484783Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9485456Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-02-03T14:05:28.9486093Z ##[endgroup]
2022-02-03T14:05:31.0634545Z
2022-02-03T14:05:31.0640518Z
2022-02-03T14:05:31.0641335Z Your current Cloud SDK version is: 371.0.0
2022-02-03T14:05:31.0642590Z Installing components from version: 371.0.0
2022-02-03T14:05:31.0643537Z
2022-02-03T14:05:31.0673968Z ┌──────────────────────────────────────────────┐
2022-02-03T14:05:31.0676778Z │ These components will be installed. │
2022-02-03T14:05:31.0679265Z ├───────────────────────┬────────────┬─────────┤
2022-02-03T14:05:31.0681438Z │ Name │ Version │ Size │
2022-02-03T14:05:31.0683297Z ├───────────────────────┼────────────┼─────────┤
2022-02-03T14:05:31.0695992Z │ gcloud Alpha Commands │ 2022.01.28 │ < 1 MiB │
2022-02-03T14:05:31.0697590Z └───────────────────────┴────────────┴─────────┘
2022-02-03T14:05:31.0698543Z
2022-02-03T14:05:31.3006678Z For the latest full release notes, please visit:
2022-02-03T14:05:31.3007686Z https://cloud.google.com/sdk/release_notes
2022-02-03T14:05:31.3008207Z
2022-02-03T14:05:31.3071781Z ╔════════════════════════════════════════════════════════════╗
2022-02-03T14:05:31.3073227Z ╠═ Creating update staging area ═╣
2022-02-03T14:05:34.9390965Z ╚════════════════════════════════════════════════════════════╝
2022-02-03T14:05:35.2212766Z ╔════════════════════════════════════════════════════════════╗
2022-02-03T14:05:35.2213854Z ╠═ Installing: gcloud Alpha Commands ═╣
2022-02-03T14:05:35.3278311Z ╚════════════════════════════════════════════════════════════╝
2022-02-03T14:05:35.3422977Z ╔════════════════════════════════════════════════════════════╗
2022-02-03T14:05:35.3424293Z ╠═ Creating backup and activating new installation ═╣
2022-02-03T14:05:35.3425456Z ╚════════════════════════════════════════════════════════════╝
2022-02-03T14:05:35.3446821Z
2022-02-03T14:05:55.1362650Z Performing post processing steps...
2022-02-03T14:05:55.1363493Z ..............................................................................done.
2022-02-03T14:05:55.1453454Z
2022-02-03T14:05:55.1453764Z Update done!
2022-02-03T14:05:55.1454027Z
2022-02-03T14:05:55.1454305Z WARNING: There are other instances of Google Cloud tools on your system PATH.
2022-02-03T14:05:55.1455113Z Please remove the following to avoid confusion or accidental invocation:
2022-02-03T14:05:55.1455436Z
2022-02-03T14:05:55.1455932Z /usr/lib/google-cloud-sdk/bin/gsutil
2022-02-03T14:05:55.1456436Z /usr/lib/google-cloud-sdk/bin/anthoscli
2022-02-03T14:05:55.1457009Z /usr/lib/google-cloud-sdk/bin/docker-credential-gcloud
2022-02-03T14:05:55.1457537Z /usr/lib/google-cloud-sdk/bin/bq
2022-02-03T14:05:55.1458080Z /usr/lib/google-cloud-sdk/bin/git-credential-gcloud.sh
2022-02-03T14:05:55.1458610Z /usr/lib/google-cloud-sdk/bin/gcloud
2022-02-03T14:05:55.1458850Z
2022-02-03T14:05:55.1458971Z
2022-02-03T14:05:55.2692841Z ##[group]Run gcloud alpha storage ls gs://dev-dp-braze-payloads
2022-02-03T14:05:55.2693490Z �[36;1mgcloud alpha storage ls gs://dev-dp-braze-payloads�[0m
2022-02-03T14:05:55.2758198Z shell: /usr/bin/bash -e ***0***
2022-02-03T14:05:55.2758748Z env:
2022-02-03T14:05:55.2759189Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:55.2759765Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:55.2760444Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2761131Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2761966Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2762446Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2762940Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2763452Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-02-03T14:05:55.2763940Z ##[endgroup]
2022-02-03T14:05:56.5288652Z ##[group]Run gsutil du -sh gs://dev-dp-braze-payloads
2022-02-03T14:05:56.5289243Z �[36;1mgsutil du -sh gs://dev-dp-braze-payloads�[0m
2022-02-03T14:05:56.5352449Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail ***0***
2022-02-03T14:05:56.5353402Z env:
2022-02-03T14:05:56.5354381Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:56.5355039Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:56.5355640Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5356273Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5356773Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5357259Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5357791Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5358321Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-02-03T14:05:56.5359030Z ##[endgroup]
2022-02-03T14:05:58.1419737Z ServiceException: 401 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.
2022-02-03T14:05:58.3202905Z ##[error]Process completed with exit code 1.
2022-02-03T14:05:58.3269960Z Post job cleanup.
2022-02-03T14:05:58.3798496Z Skipping credential cleanup - "export_default_credentials" is false.
2022-02-03T14:05:58.4028518Z Cleaning up orphan processes
don't think so.
Unexpected result when trying to authenticate GCP service account using google-github-actions/auth@v0 module.
It should be successfully authenticated the service account
Got this error instead "google-github-actions/auth failed with: failed to parse service account key JSON credentials: unexpected token H in JSON at position 0"
name: CI/CD to Google Cloud Run
on:
push:
branches:
- main
env:
CLOUD_RUN_REGION: asia-southeast2
GCP_PROJECT_ID: ${{secrets.GCP_PROJECT_ID}}
SERVICE_ACCOUNT_JSON: ${{secrets.SERVICE_ACCOUNT_JSON}}
jobs:
main:
name: Continous Deployment to Google Cloud Run
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v2
- id: auth
name: Authenticate service account
uses: google-github-actions/auth@v0
with:
credentials_json: $SERVICE_ACCOUNT_JSON
- id: gcloud
name: Setup Google Cloud SDK
uses: google-github-actions/setup-gcloud@v0
with:
project_id: $GCP_PROJECT_ID
- id: deploy
name: Deploy API to Google Cloud Run
run: gcloud builds submit -f deployments/cloudbuild.staging.yaml
I just copy paste the whole generated service account keys json to Github secrets, still got the error. Any solution for this?
Thanks.
This section seems to be not workings as ${{ steps.auth.outputs.access_token }} = ""
- name: Access secret run: |- curl https://secretmanager.googleapis.com/v1/projects/662974556749/secrets/tester-secret \ --header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
this should insert the access token from from the previous step
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
is resulting in this output in the logs:
Run curl https://secretmanager.googleapis.com/v1/projects/***/secrets/*** \ curl https://secretmanager.googleapis.com/v1/projects/***/secrets/***\ --header "Authorization: Bearer "
`
name: Test Yaml File
on:
push:
branches:
- staging
jobs:
test:
name: Test gcloud Auth
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- name: Github Action Manager
uses: actions/checkout@v2
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
workload_identity_provider: projects/***/locations/global/workloadIdentityPools/***/providers/***
service_account: ***@***.iam.gserviceaccount.com
# Example of using the token:
- name: Access secret
run: |-
curl https://secretmanager.googleapis.com/v1/projects/***/secrets/*** \
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
`
No response
Currenty the ref
token attribute seems to be used to indicate on which branch a change was made in the case of a commit (ex. "ref": "refs/heads/develop"), and to get the name of the tag when a tag is pushed (ex. "ref": "refs/tags/my-tag").
So in the case of a tag, it's currently not possible to know on which branch it was pushed. On the Workload Identity Pool Provider side, we would like to be able to validate that a tag was pushed on the a repository's master branch in order to grant auth access on the received token.
Or else anybody could create a feature branch modifying a Github Action CI/CD deployment for example, and pushing a tag on their feature branch would allow them to actually execute the modified pipeline.
This lack of functionality is currently a blocker for us to be able to grant token access on newly created tags.
We can scope workload identity for a github repo to the repo. Would it be possible to scope it to the name
of the github action, or some other manner to isolate within a github repo?
We configure two components for github actions:
I would like platform/ infra repo to enable service_account_a
can use workload identity in repo_a
, but only for github_action_a
, and possibly based on other conditional triggers such as file changes or limit to a branch.
In our monorepo, without this feature it would be possible for a non-maintainer of github_action_a
to create a new github action, that uses these permissions.
No response
As the title suggest, I'm wondering the way to access API in Google Workspace domain via Workload Identity Federation?
The service account is already set up and successfully connected Google Workspace, if request is made with downloaded service account key.
I thought delegates
input option may be the way to go, but while it gives me the access token, it is not for the Google Workspace API as following message suggests.
panic: failed listing groups: googleapi: Error 404: Domain not found., notFound
I'm not even sure it is possible in the first place, so allow me to raise the issue with blank template.
Thanks in advance!
Hi,
Is it possible to generate access_token
from credentials_json
?
Here is what I am trying to do:
# ...
jobs:
ci:
name: Continuous integration
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Authenticate to Google Cloud
id: gcp-auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.gcp-sa-key }}
token_format: 'access_token'
access_token_lifetime: '300s'
but I am getting:
Error: Action failed with error: Error: Failed to generate Google Cloud access token for ***
"error": ***
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
***
***
Additional information: above account has role Service Account Token Creator
.
Thanks.
Many Actions (including the GitHub ones) publish a vX
tag and force-push to that tag on changes. Instead of going around and updating READMEs, I wonder if we're better off creating a v1
tag and force-pushing there (in addition to tagged releases).
git tag -a -s -m v0.x.y v0.x.y && git push origin refs/tags/v0.x.y
git tag -d v1 && git tag -a -s -m v1 v1 && git push -f origin refs/tags/v1
No response
Hi @sethvargo,
I noticed that you are creating a workflow for the release of new versions. We took this workflow as an example with minor modifications https://github.com/haya14busa/action-bumpr/blob/master/.github/workflows/release.yml
I highly recommend it.
No response
No response
I've updated my workflow due to the deprecation of service_account_key in the google-github-actions/setup-gcloud action.
When running my workflow, the auth step fails after 50-55s resulting in the stacktrace shown below.
The authentication should not end up with a failure.
Auth step fails with following error..
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
<--- Last few GCs --->
[409:0x3a26080] 49157 ms: Scavenge 2029.8 (2034.9) -> 2029.7 (2040.2) MB, 12.8 / 0.0 ms (average mu = 0.245, current mu = 0.242) allocation failure
[409:0x3a26080] 49175 ms: Scavenge 2032.9 (2040.2) -> 2033.2 (2040.9) MB, 16.1 / 0.0 ms (average mu = 0.245, current mu = 0.242) allocation failure
[409:0x3a26080] 49193 ms: Scavenge 2033.6 (2040.9) -> 2033.3 (2051.9) MB, 17.2 / 0.0 ms (average mu = 0.245, current mu = 0.242) allocation failure
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x1374fd9]
Security context: 0x0a48f43c08a1 <JSObject>
1: fromBase64(aka fromBase64) [0x4e37389aad1] [/home/github/_work/_actions/google-github-actions/auth/v0.4.1/dist/index.js:~665] [pc=0x3540958c3e9d](this=0x00c3800004a9 <undefined>,0x3242bf7acf31 <Very long string[28855]>)
2: parseServiceAccountKeyJSON [0x4e37389abb1] [/home/github/_work/_actions/google-github-actions/auth/v0.4.1/dist/index.js:1816] [byte...
1: 0x9da7c0 node::Abort() [/home/github/externals/node12/bin/node]
2: 0x9db976 node::OnFatalError(char const*, char const*) [/home/github/externals/node12/bin/node]
3: 0xb39f1e v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [/home/github/externals/node12/bin/node]
4: 0xb3a299 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [/home/github/externals/node12/bin/node]
5: 0xce5635 [/home/github/externals/node12/bin/node]
6: 0xce5cc6 v8::internal::Heap::RecomputeLimits(v8::internal::GarbageCollector) [/home/github/externals/node12/bin/node]
7: 0xcf1b5a v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) [/home/github/externals/node12/bin/node]
8: 0xcf2a65 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [/home/github/externals/node12/bin/node]
9: 0xcf410f v8::internal::Heap::HandleGCRequest() [/home/github/externals/node12/bin/node]
10: 0xca30f4 v8::internal::StackGuard::HandleInterrupts() [/home/github/externals/node12/bin/node]
11: 0xff1af7 v8::internal::Runtime_StackGuard(int, unsigned long*, v8::internal::Isolate*) [/home/github/externals/node12/bin/node]
12: 0x1374fd9 [/home/github/externals/node12/bin/node]
..which results in the workflow to fail.
- name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ secrets.GOOGLE_PROJECT_ID }}
export_default_credentials: true
version: 344.0.0
I'm running a self-hosted GitHub Runner with version 2.285.1 in a GKE cluster.
Could this maybe be somehow related to the #73 issue?
The docs here say audience
is an optional key in the GitHub actions configuration. But when I run my action without the key specified, I get the following error:
To run successfully without specifying an audience key.
It says the audience key is invalid.
name: Deploy - Production
on:
workflow_dispatch:
inputs:
deployables:
description: 'backend/client/dispatch.yaml'
default: 'backend client'
required: true
message:
description: 'What updates are you deploying?'
required: true
concurrency: production_environment
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Disable client deploys
if: contains(github.event.inputs.deployables, 'client')
run: |
# echo "::error::The client cannot be deployed at this time. See Slack for details."
# exit 1
- name: Disable backend deploys
if: contains(github.event.inputs.deployables, 'backend')
run: |
# echo "::error::The backend cannot be deployed at this time. See Slack for details."
# exit 1
- name: Checkout code
uses: actions/checkout@v2
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
workload_identity_provider:
${{ secrets.WORKLOAD_ID_PROVIDER_PRODUCTION }}
service_account: ${{ secrets.SERVICE_ACCOUNT_PRODUCTION }}
- name: Set up Cloud SDK
uses: google-github-actions/[email protected]
- name: Generate version tag
run: |
commit_hash=$(git rev-parse --short=7 HEAD)
echo "version_tag=$(TZ=:UTC date +%Y-%m-%dt%H-%M-%Sutc-$commit_hash)" >> $GITHUB_ENV
- name: Deploy
run: |
${GITHUB_WORKSPACE}/deploy --production --message="${{ github.event.inputs.message }}" --actor="$GITHUB_ACTOR" --version=${{ env.version_tag }} ${{ github.event.inputs.deployables }}
- name: Create Release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ env.version_tag }}
release_name: ${{ github.event.inputs.message }}
draft: false
prerelease: false
This works fine as configured in our staging environment, which is a separate Google Cloud project.
Replaced the use of https://github.com/docker/login-action with the current action to authenticate to a Google Docker Artifact registry and I can't seem to push an image to it.
Proof that my service account has access to the registry:
Able to push a docker image to Google Artifact Registry
Getting the following error:
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/prj-d-perso-fleroux-4094/locations/northamerica-northeast1/repositories/fleroux-docker" (or it may not exist)
---
name: Authenticate to Artifact registry using Identity Federation
on:
push:
jobs:
test-oidc:
runs-on: ubuntu-latest
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
WORKLOAD_IDENTITY_POOL_PROVIDER: 'projects/506790059452/locations/global/workloadIdentityPools/github-pool/providers/github-pool-provider'
SERVICE_ACCOUNT: '[email protected]'
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout codebase
uses: actions/checkout@v2
- name: Authenticate to Google
id: 'auth'
uses: 'google-github-actions/[email protected]'
with:
token_format: 'id_token'
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}
id_token_audience: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
create_credentials_file: true
- name: Build and push Docker
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
cd docker_test
docker build -t northamerica-northeast1-docker.pkg.dev/prj-d-perso-fleroux-4094/fleroux-docker/hello:latest .
docker image push northamerica-northeast1-docker.pkg.dev/prj-d-perso-fleroux-4094/fleroux-docker/hello
shell: bash
No response
First off, this is great! Very excited about getting rid of our JSON keys and migrating to this! That said, I ran into an issue when trying to get this working with private git repos, and wanted to offer to add a usage example. The main issue I ran into is that when I set permissions in the workflow, it revokes all the default permissions. I'd push a PR, but I don't have permission, but is we added this to the README it might help folks like me who are using Actions with Private Repos:
jobs:
run:
# ...
# Add "id-token" with the intended permissions.
# NOTE: This will revoke all default token permissions
# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
id-token: 'write'
There appears to be no way to create the token in a specific location, which makes the workflow identity something you should not use when using github actions to create PRs.
https://github.com/google-github-actions/auth/blob/main/src/main.ts#L136
name: "Generate Metadata"
on:
workflow_dispatch: {}
jobs:
generate-metadata
name: Generate Metadata
runs-on: ubuntu-20.04
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Check out repository code
uses: actions/checkout@v2
with:
ref: main # restrict this run to only main branch, workflow_dispatch does not support limiting to a branch
- name: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/<projectNumber>/locations/global/workloadIdentityPools/<poolname>/providers/<providerName>'
service_account: '<serviceAccount>@<projectID>.iam.gserviceaccount.com'
# further step to modify contents in repo
# another step to generate token to create PR
# another step to create PR
In that last step, a PR will be created with the expected changes, but the token will be included in the PR.
In another google module, an argument is exposed to specify a different path that allows a consumer to specify where the key should be placed.
- name: Setup Google Cloud SDK
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
credentials_file_path: /tmp/gcp-credentials.json
If possible please expose a similar option.
No response
Changing from uses: google-github-actions/setup-gcloud@master
to uses: 'google-github-actions/auth@v0'
break firebase test lab
In my github action I have
- name: Authenticate to Google Cloud
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
- name: run firebase testlab
...
I get
gcloud of ['gcloud', 'firebase', 'test', 'android', 'run', '--type=game-loop', ….] failed with stderr:ERROR: (gcloud.firebase.test.android.run) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
But old version works as expected
- name: Authenticate to Google Cloud
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
- name: run firebase testlab
...
Thanks
@sethvargo we had a few issues about pushing to GAR/GCR (#104 (comment), #50 (comment)) should we have an example that showcases this?
Originally posted by @bharathkkb in #123 (comment)
Authentication is successfull when principleSet is set to: //iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/*
But fails when I limit it to a private repo under an org. //iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/<GITHUB_ORG>/*
Authenticate with specific private repository.
Error: Action failed with error: Error: failed to generate Google Cloud ID token for [email protected]: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
token_format: id_token
workload_identity_provider: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
service_account: [email protected]
access_token_lifetime: '300s'
❯ gcloud iam service-accounts get-iam-policy "[email protected]"
bindings:
- members:
- principalSet://iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/<GITHUB_ORG>/*
role: roles/iam.workloadIdentityUser
etag: xxxxxx
version: 1
❯ gcloud iam workload-identity-pools providers describe rush3-provider --location global --workload-identity-pool rush3-pool
attributeMapping:
attribute.actor: assertion.actor
attribute.aud: assertion.aud
attribute.repository: assertion.repository_owner
google.subject: assertion.sub
displayName: Rush demo provider
name: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
I have also followed steps described here: #36
Gcloud Application Default login only allowed with the user credentials or the application libraries (Google provided resource authentications in mvn/npm/graddle,etc.,) will authenticate with the ADC (either as defined for the run platform or from serviceAccount JSON key stored in the path as defined in the env GOOGLE_APPLICATION_CREDENTIALS).
For CI, The general practice (in git Actions) for a Java application build (for specific actions that demands access to GCP like JAR/package build and export, unit tests to start the application and utilize cloud resources, etc.,) is to have the Google ServiceAccount Key retrieved from a secured location (usually Git Secrets) and get it pushed to the build container in a path as specified in the env GOOGLE_APPLICATION_CREDENTIALS ( usually this auto done if used google-github-actions/setup-gcloud@master with the export_default_credentials set to true).
But after switching to the workload_identity_provider with google-github-actions/auth@v0, The CI actions for those Java build steps fails as the libraries(either mvn nor graddle nor npm, etc.,.) can't recognize the ADC and also with the new flow/setup only the credentials can be outputed in the .credentials_file_path, which the application libraries fails to identify.
The ask is to also allow the application login (Google application libraries from maven/graddle/npm) with the keyless authentication, and the same I hope can be achieved either via
1. Updating the Gcloud auth application-default login to allow and accept the credentials outputed from the google-github-actions/auth@v0
(or)
2. Create a shortlived(temporary) JSON Key for the ServiceAccount which is used to authorize for the token exchange and to keep it build container that can be recognized by ADC ( and to delete the ServiceAccount key on build termination)
(or)
3. Provide a mechanism to support application login in CI steps (for eg., the gcloud auth login is allowed with the credentials outputed from the auth step)
No response
Authenticating to docker using gcloud isn't working, despite what looks like a successful login.
Docker to be successfully authenticated.
Docker authentication doesn't seem to be working in combination with this actions output?
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GOOGLE_CLOUD_TOKEN }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: Docker Login
run: "gcloud auth configure-docker --quiet us-central1-docker.pkg.dev"
- uses: actions/checkout@v2
- name: Build Docker Image
run: "docker build ."
Getting:
ERROR: (gcloud.auth.docker-helper) Failed to load credential file: [/home/runner/work/api/api/39c413352e4b4825126e788d]. File /home/runner/work/api/api/39c413352e4b4825126e788d was not found.
Even though:
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/api/api/39c413352e4b4825126e788d
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/api/api/39c413352e4b4825126e788d
GOOGLE_GHA_CREDS_PATH: /home/runner/work/api/api/39c413352e4b4825126e788d
I am getting an auth bug when I try to generate an id_token using the github action.
There should be no auth errors.
I get a 403 error.
Run google-github-actions/auth@v0
with:
token_format: id_token
workload_identity_provider: projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider
service_account: abcd@***.iam.gserviceaccount.com
id_token_audience: projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider
create_credentials_file: true
cleanup_credentials: true
access_token_lifetime: 3600s
access_token_scopes: https://www.google***s.com/auth/cloud-platform
id_token_include_email: false
env:
WORKLOAD_IDENTITY_POOL_PROVIDER: projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider
SERVICE_ACCOUNT: abcd@***.iam.gserviceaccount.com
Created credentials file at "/home/runner/work/***/***/3eb53b95d764be1564f71360"
Error: google-github-actions/auth failed with: failed to generate Google Cloud ID token for abcd@***.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
name: Deploy
on:
push:
branches:
- 'develop'
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
env:
WORKLOAD_IDENTITY_POOL_PROVIDER: 'projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider'
SERVICE_ACCOUNT: '[email protected]'
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Build Docker image
run: |
docker build . --tag gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}-v${{ steps.package-version.outputs.current-version }}
# Configure Workload Identity Federation for Google Cloud
- id: auth
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'id_token'
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}
id_token_audience: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
create_credentials_file: true
# Setup gcloud CLI
- name: Setup gcloud sdk
uses: google-github-actions/setup-gcloud@v0
# Configure docker to use the gcloud command-line tool as a credential helper
- name: 'Set up docker to authenticate via gcloud command-line tool'
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth configure-docker
- name: Push Docker image to Google Container registry
run: |
docker push gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}-v${{ steps.package-version.outputs.current-version }}
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.