google-github-actions / auth Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for authenticating to Google Cloud.
Home Page: https://cloud.google.com/iam
License: Apache License 2.0
auth's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
yfuruyama gregoirew varamishitha bgdanix uakbr hazcod bharathkkb sakajunquality rahulabrol1104 pakon2543 amannm garrettwong cysiv pokutuna google-github-actions-bot llorllale glasnt bgjooon avatala tautvydasversockas horizons-cognite deviantsfactions marmas3040 kabat87 visiumch snorack princerachit jsiebens rachey22 mowi-cognite charliesu eloyez33 ana-bezerra hitsumabushi845 marcelo-mozena zchee dhanrajsr viktorseb massongit mh3185102 isabella232 rubyelders wesfloyd 00mjk rajesh-siva-db jakemadison kaldikaled modu-ftnc s2t2 cognitedata boostrack efarma zendesk tgeoghegan mugioka akbartrilaksana rheejinsoo-unity3d adapta-innovation rafa-thayto sunmou99 pabloffdev amon1368q lmarangoni ahmadsunny017 amaxj95 jpdark invisiblefoods siteground haya-ahmed aicure twisterrob seemeedevelopers-com rednan83 ahmed-alhameedawi samkenxstream camilla-storytel emielvanlankveld shivakumar-homedepot rajesh-sampathrajan-cbm paouelledialpad khalid-kifayat bseib that-apex permutive-engineering sztwiorok alemi81 devyanial07 abrar71 mtmendonca giangpro89 bhorchestration matthieuprat francisco-gutierrez-bfg retzero miguelzamora13 kuczensr hc40382 lonecalvary78 trevorrashid tstrombergauth's Issues
Authenticating via Service Account Key JSON does not work
TL;DR
Moving from deprecated service_account_key in the google-github-actions/setup-gcloud to the credentials_json gives me the following error:
Error: google-github-actions/setup-gcloud failed with: Error parsing credentials: Unexpected end of JSON input
Ensure your credentials are base64 encoded or validate JSON format:
I have also tried to encode the JSON key to base64 but it does not change the behaviour
Expected behavior
No response
Observed behavior
No response
Action YAML
name: Test on GKE
on:
push: {}
env:
PROJECT_ID: my-project
GKE_ZONE: europe-west1-b
jobs:
create-e-cluster:
name: Create GKE cluster
runs-on: ubuntu-latest
outputs:
cluster_name: my-cluster
steps:
# Setup gcloud CLI
- id: 'auth'
uses: 'google-github-actions/[email protected]'
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- uses: google-github-actions/setup-gcloud@master
with:
project_id: ${{ env.PROJECT_ID }}
export_default_credentials: trueAdditional information
It's not the issue with the JSON key itself, as the same value for the service_account_key in the google-github-actions/setup-gcloud is working.
Use with default authentication method (gcloud or authentication helpers)
It feels like it is more a discussion than an issue but as there are not enable I open this issue.
This process is a great way to get access token, but google helpers (from docker credentials helpers, library helpers, ... ) will use GOOGLE_APPLICATION_CREDENTIALS or call gcloud to get an access token.
Is there a way to use this access token in a transparent way with those helpers? (like a GOOGLE_APPLICATION_ACCESS_TOKEN env variable)
Thank you
Setup gcloud failed after successful authentication
TL;DR
gcloud setup action failed after successful authentication with google-github-actions/auth@v0 action.
google-github-actions/setup-gcloud failed with: The process '/opt/hostedtoolcache/gcloud/371.0.0/x64/bin/gcloud' failed with exit code 1
Expected behavior
Should be able to setup gcloud after auth action.
Observed behavior
Setup gcloud action failed during installation.
Action YAML
name: test
on:
push:
paths:
- ".github/workflows/test.yaml"
jobs:
job_id:
# ...
runs-on: ubuntu-latest
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: 'actions/checkout@v2'
# Configure Workload Identity Federation via a credentials file.
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: "<redacted>"
service_account: "<redacted>"
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
# Now you can run gcloud commands authenticated as the impersonated service account.
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud secrets versions access "latest" --secret "my-secret"Log output
Run google-github-actions/setup-gcloud@v0
with:
version: latest
export_default_credentials: false
cleanup_credentials: true
env:
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/gruffalo-mirror/gruffalo-mirror/754e55846bfbfab3698599f8
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/gruffalo-mirror/gruffalo-mirror/754e55846bfbfab3698599f8
GOOGLE_GHA_CREDS_PATH: /home/runner/work/gruffalo-mirror/gruffalo-mirror/754e55846bfbfab3698599f8
CLOUDSDK_PROJECT: <redacted>
CLOUDSDK_CORE_PROJECT: <redacted>
GCP_PROJECT: <redacted>
GCLOUD_PROJECT: <redacted>
GOOGLE_CLOUD_PROJECT: <redacted>
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/51f8b71f-b0f3-4043-9cfa-9f4fff5bee67 -f /home/runner/work/_temp/5d398a48-c1c2-46c6-8f78-78a9c1900bc5
Error: google-github-actions/setup-gcloud failed with: The process '/opt/hostedtoolcache/gcloud/371.0.0/x64/bin/gcloud' failed with exit code 1
Additional information
I followed the Readme instructions to create Workload Identity Federation.
v0.3.1 - error code 403 The Caller Does Not Have Permission
TL;DR
Getting 403 error when authenticating to GCP. Two weeks (10/19) ago same exact workflow passed successfully. We did not change anything with our GCP IAM user and anything in the workflow. We followed the readme in setting up and I verified that nothing has changed on that user.
Expected behavior
Successful authentication.
Observed behavior
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
Reproduction
Follow setup steps in readme and create a github action for Oauth2.0
Action YAML
steps:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/########/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
service_account: 'github-actions@#######.iam.gserviceaccount.com'Additional information
No, we are in POC phase for deploying to GCP using GitHub actions and using this action is part of it.
Problem using WIF authentication with google terraform provider
TL;DR
I'm not sure if this is an issue with the auth action or with the google terraform provider (or something else), so apologies if this is not the correct place.
When I use the auth action to setup WIF authentication to google cloud so I can run terraform, I get this error immediately as terraform tries to initialize the backend (with state stored in Cloud Storage):
Initializing the backend...
Error: storage.NewClient() failed: dialing: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"
This should be reproducible with the given GitHub Actions YAML below and any terraform config that uses Cloud Storage as it's state backend.
A quick search turned up these issues that also dealt with WIF and experienced this unknown credential type: "external_account" error:
Expected behavior
Terraform is able to initialize module directory without error.
Observed behavior
Terraform returns error when initializing module directory.
Action YAML
name: 'apply terraform configs'
on:
push:
paths:
- terraform/**
branches:
- main
pull_request:
paths:
- terraform/**
env:
GCP_PROJECT_ID: xxx
...snip...
TF_IN_AUTOMATION: 1
TF_REGISTRY_CLIENT_TIMEOUT: 60s
jobs:
terraform:
name: Terraform
runs-on: self-hosted # <-- Using https://github.com/actions-runner-controller/actions-runner-controller default image
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: actions/setup-node@v2
with:
node-version: '14'
- uses: hashicorp/setup-terraform@v1
with:
terraform_version: 0.14.8
- uses: google-github-actions/auth@v0
with:
workload_identity_provider: 'projects/yyy/locations/global/workloadIdentityPools/pool-ci-cd/providers/github-actions'
service_account: '[email protected]'
...snip...
- name: Terraform Format
run: ...terraform fmt -check collected modules...
- name: Terraform Init # <-- Error happens here
run: ...terraform init collected modules...
...snip...Additional information
I have WIF setup with the following terraform config I've already applied locally (and this is the same terraform config that the workflow is trying to init):
terraform {
required_version = ">= 0.14"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.4.0"
}
}
backend "gcs" {
bucket = "xxx-terraform-state"
prefix = "envs/prod/iam"
}
}
provider "google" {
project = "xxx"
}
provider "google-beta" {
project = "xxx"
}
resource "google_iam_workload_identity_pool" "ci" {
provider = google-beta
workload_identity_pool_id = "pool-ci-cd"
display_name = "CI/CD"
description = "Identity pool for continuous integration service accounts."
disabled = false
}
resource "google_iam_workload_identity_pool_provider" "github_actions" {
provider = google-beta
workload_identity_pool_id = google_iam_workload_identity_pool.ci.workload_identity_pool_id
workload_identity_pool_provider_id = "github-actions"
display_name = "GitHub Actions"
description = "Provider used by GitHub Action workflows."
disabled = false
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.repository" = "assertion.repository"
}
oidc {
issuer_uri = "https://token.actions.githubusercontent.com"
}
}
resource "google_service_account" "terraform" {
account_id = "terraform"
display_name = "terraform"
description = "Used by terraform to apply changes"
}
resource "google_service_account_iam_member" "terraform_sa_workload_identity" {
service_account_id = google_service_account.terraform.name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.ci.name}/attribute.repository/xxx/yyy"
}This issue builds off my comment here: google-github-actions/setup-gcloud#440 (comment)
Thanks!
Action failed with error: Error: $ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set
TL;DR
I can't seem to get the latest version to work, although I set the permissions correctly. 🤔
Expected behavior
Action working fine.
Observed behavior
Errors out with: Error: Action failed with error: Error: $ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set.
Reproduction
Action YAML
name: lint
on: [pull_request]
env:
TF_LOG: WARN
jobs:
tflint:
name: terraform
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
pull-requests: write
steps:
-
uses: actions/checkout@v2
-
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
token_format: access_token
access_token_lifetime: 900s
workload_identity_provider: projects/1049058775616/locations/global/workloadIdentityPools/main-pool/providers/github
service_account: [email protected]
create_credentials_file: true
activate_credentials_file: true
Help us avoid credential leak into containers - Use a default credential file path
TL;DR
Use google's usual default path (google_credentials.json) for generated application credentials, or alternatively allow us to specify the path of the credentials file that gets created.
This will help us avoid by default a significant vulnerability that it's easy to introduce by mistake: baking credentials into images for all to see.
Detailed design
Lets say I use this action to do a typical thing: build a container and push it to GCR:
name: build_container_and_push_to_gcr
on:
workflow_dispatch:
jobs:
docker:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Authenticate with GCP Workload Identity
id: auth
uses: google-github-actions/[email protected]
with:
create_credentials_file: true
workload_identity_provider: REDACTED
service_account: REDACTED
- name: Setup gcloud
uses: 'google-github-actions/setup-gcloud@v0'
- name: Configure Docker to push images to GCP
run: gcloud auth configure-docker
- name: Build
uses: docker/build-push-action@v2
with:
context: .
file: Dockerfile
tags: this-contains:the-account-credentials
- name: Other stuff
run: echo "Do testing stuff which might require the credentials file"The auth step creates a credentials file with a randomised name - like /home/runner/work/me/myrepo/4c33e43f60be11e1a7b5d5f4.
The problem occurs when Dockerfile contains the following extremely common line:
COPY . .
If you're like me, you'll have a .dockerignore file will include something like:
# NEVER bake in environment variables or credentials
.env
.env*
google_credentials.json
But, because in this case the credentials file name cannot be known a priori, the .dockerignore can't be configured not to copy it in.
Proposed solution
- Revert to a predictable file name, or make user specify as a required argument
- [Optional, but nice] Check for presence of .dockerignore and if it doesn't contain the file then warn the user
- [Optional, but nice] Add a boolean
--update-dockerignoreoption, true by default, that creates or updates a .dockerignore file with the credentials file name
A possible workaround
As one possible workaround, I'd have to introduce a step something like
- name: Prevent secret from getting into container
# WARNING UNTESTED!!!
run: touch .dockerignore && echo ${${{ steps.auth.outputs.credentials_file_path }}##*/} >> .dockerignore
- name: Now its safe to build
#...Additional information
I also think it's a bit more intuitive for it to end up in google_credentials.json, the location given in most of google's tutorials on application credentials.
Error: $ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set
Hi!
Great idea, and trying to implement this for a private GitHub repository.
However, the action always errors with: Error: $ACTIONS_ID_TOKEN_REQUEST_TOKEN is not set.
My workflow:
name: test
on: [pull_request]
env:
TERRAFORM_SA: terraform@xxx
jobs:
test:
name: terraform
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v2
-
uses: hashicorp/setup-terraform@v1
-
name: Terraform fmt
run: terraform fmt -check=true
-
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
token_format: access_token
access_token_lifetime: 900s
workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/main-pool/providers/xxx
service_account: ${{ env.TERRAFORM_SA }}
create_credentials_file: true
activate_credentials_file: true
-
name: Terraform Init
run: terraform init
-
name: Terraform Validate
run: terraform validate -no-color
-
name: Terraform Plan
run: terraform plan -no-color -lock=false -input=false
-
name: Cleanup
if: always()
run: rm "${GOOGLE_APPLICATION_CREDENTIALS}" || true
[Help] Am I supposed to set ACTIONS_ID_TOKEN_REQUEST_URL
Hey sorry this is probably a dumb question but I've read through the readme, and I've copied pasted each setup step exactly without issue. However when I try and authenticate I get
Error: Action failed with error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
Am I supposed to set ACTIONS_ID_TOKEN_REQUEST_URL as a Action Secret, if so where do I get this value on the GCP console?
I'm just trying a really basic example using:
- id: 'auth'
name: Login to Google Storage
uses: google-github-actions/[email protected]
with:
workload_identity_provider: 'my-provider'
service_account: ' [email protected]'
- name: Upload to Google Storage
uses: google-github-actions/[email protected]
with:
path: ${{steps.download.outputs.download-path}}/*
destination: my-bucket/release
Long branch names cause auth failure for workload identity federation
TL;DR
Using a long branch name will result in an invalid subject line in the request, resulting in the following error:
google-github-actions/auth failed with: failed to generate Google Cloud federated token for projects/<project>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider: {"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
NOTE: I edited this to include a simpler log, action.yaml and use the latest version of the plugin.
Expected behavior
Should be able to use any valid GitHub ref to trigger a WIF authentication.
Observed behavior
WIF request fails and the job cannot proceed.
Action YAML
name: GitHub Bug Report
on: [push]
jobs:
deploy:
permissions:
contents: "read"
id-token: "write"
runs-on: ubuntu-20.04
steps:
- name: Check out repository
uses: actions/checkout@v2
with:
fetch-depth: 0
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/[email protected]"
with:
token_format: "access_token"
workload_identity_provider: "projects/<redacted>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider"
service_account: "<redacted>"
create_credentials_file: trueLog output
2022-02-02T17:54:18.2078222Z Waiting for a runner to pick up this job...
2022-02-02T17:54:18.7663541Z Job is waiting for a hosted runner to come online.
2022-02-02T17:54:21.5957954Z Job is about to start running on the hosted runner: GitHub Actions 5 (hosted)
2022-02-02T17:54:25.0873159Z Current runner version: '2.287.1'
2022-02-02T17:54:25.0900688Z ##[group]Operating System
2022-02-02T17:54:25.0901172Z Ubuntu
2022-02-02T17:54:25.0901445Z 20.04.3
2022-02-02T17:54:25.0901649Z LTS
2022-02-02T17:54:25.0901987Z ##[endgroup]
2022-02-02T17:54:25.0902248Z ##[group]Virtual Environment
2022-02-02T17:54:25.0902601Z Environment: ubuntu-20.04
2022-02-02T17:54:25.0902910Z Version: 20220123.1
2022-02-02T17:54:25.0903350Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220123.1/images/linux/Ubuntu2004-Readme.md
2022-02-02T17:54:25.0903995Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220123.1
2022-02-02T17:54:25.0904367Z ##[endgroup]
2022-02-02T17:54:25.0904702Z ##[group]Virtual Environment Provisioner
2022-02-02T17:54:25.0905032Z 1.0.0.0-main-20220128-1
2022-02-02T17:54:25.0905274Z ##[endgroup]
2022-02-02T17:54:25.0905851Z ##[group]GITHUB_TOKEN Permissions
2022-02-02T17:54:25.0906337Z Contents: read
2022-02-02T17:54:25.0906759Z Metadata: read
2022-02-02T17:54:25.0907050Z ##[endgroup]
2022-02-02T17:54:25.0910740Z Secret source: Actions
2022-02-02T17:54:25.0911161Z Prepare workflow directory
2022-02-02T17:54:25.1782465Z Prepare all required actions
2022-02-02T17:54:25.1970927Z Getting action download info
2022-02-02T17:54:25.4323218Z Download action repository 'actions/checkout@v2' (SHA:ec3a7ce113134d7a93b817d10a8272cb61118579)
2022-02-02T17:54:26.4517066Z Download action repository 'google-github-actions/[email protected]' (SHA:7a360a247cce1245c1d13bc63d8b2ac927d201c8)
2022-02-02T17:54:27.3492832Z ##[group]Run actions/checkout@v2
2022-02-02T17:54:27.3493132Z with:
2022-02-02T17:54:27.3493489Z fetch-depth: 0
2022-02-02T17:54:27.3493742Z repository: <redacted>
2022-02-02T17:54:27.3494292Z token: ***
2022-02-02T17:54:27.3494513Z ssh-strict: true
2022-02-02T17:54:27.3494800Z persist-credentials: true
2022-02-02T17:54:27.3495125Z clean: true
2022-02-02T17:54:27.3495324Z lfs: false
2022-02-02T17:54:27.3495569Z submodules: false
2022-02-02T17:54:27.3495797Z ##[endgroup]
2022-02-02T17:54:27.6004388Z Syncing repository: <redacted>
2022-02-02T17:54:27.6006214Z ##[group]Getting Git version info
2022-02-02T17:54:27.6006874Z Working directory is '/home/runner/work/<redacted>'
2022-02-02T17:54:27.6007493Z [command]/usr/bin/git version
2022-02-02T17:54:27.6098663Z git version 2.34.1
2022-02-02T17:54:27.6119945Z ##[endgroup]
2022-02-02T17:54:27.6127428Z Deleting the contents of '/home/runner/work/<redacted>'
2022-02-02T17:54:27.6133584Z ##[group]Initializing the repository
2022-02-02T17:54:27.6138821Z [command]/usr/bin/git init /home/runner/work/<redacted>
2022-02-02T17:54:27.6215448Z Initialized empty Git repository in /home/runner/work/<redacted>/.git/
2022-02-02T17:54:27.6227577Z [command]/usr/bin/git remote add origin https://github.com/<redacted>
2022-02-02T17:54:27.6268913Z ##[endgroup]
2022-02-02T17:54:27.6269790Z ##[group]Disabling automatic garbage collection
2022-02-02T17:54:27.6272699Z [command]/usr/bin/git config --local gc.auto 0
2022-02-02T17:54:27.6305351Z ##[endgroup]
2022-02-02T17:54:27.6324625Z ##[group]Setting up auth
2022-02-02T17:54:27.6326311Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-02-02T17:54:27.6351475Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-02-02T17:54:27.6701367Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-02-02T17:54:27.6763482Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-02-02T17:54:27.6984237Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2022-02-02T17:54:27.7029115Z ##[endgroup]
2022-02-02T17:54:27.7030556Z ##[group]Fetching the repository
2022-02-02T17:54:27.7038145Z [command]/usr/bin/git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*
2022-02-02T17:54:28.4684959Z remote: Enumerating objects: 4616, done.
2022-02-02T17:54:28.4685597Z remote: Counting objects: 0% (1/643)
<simplified>
2022-02-02T17:54:32.6721590Z Resolving deltas: 100% (3018/3018), done.
2022-02-02T17:54:32.6961896Z From https://github.com/<redacted>
2022-02-02T17:54:32.6965024Z * [new branch] oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard -> origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.6993315Z [command]/usr/bin/git branch --list --remote origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7021679Z origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7031406Z [command]/usr/bin/git rev-parse refs/remotes/origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7056803Z c3ffd0ff38303a6295ebd6e14d880fdea1d89dc3
2022-02-02T17:54:32.7062236Z ##[endgroup]
2022-02-02T17:54:32.7062870Z ##[group]Determining the checkout info
2022-02-02T17:54:32.7066351Z ##[endgroup]
2022-02-02T17:54:32.7067959Z ##[group]Checking out the ref
2022-02-02T17:54:32.7074346Z [command]/usr/bin/git checkout --progress --force -B oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard refs/remotes/origin/oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard
2022-02-02T17:54:32.7305267Z Switched to a new branch 'oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard'
2022-02-02T17:54:32.7306709Z Branch 'oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard' set up to track remote branch 'oleksii/2746-add-a-button-in-madmin-that-is-a-shortcut-to-the-given-merchant-in-the-sales-dashboard' from 'origin'.
2022-02-02T17:54:32.7324554Z ##[endgroup]
2022-02-02T17:54:32.7352521Z [command]/usr/bin/git log -1 --format='%H'
2022-02-02T17:54:32.7380757Z 'c3ffd0ff38303a6295ebd6e14d880fdea1d89dc3'
2022-02-02T17:54:32.7581584Z ##[group]Run google-github-actions/[email protected]
2022-02-02T17:54:32.7581916Z with:
2022-02-02T17:54:32.7582104Z token_format: access_token
2022-02-02T17:54:32.7582485Z workload_identity_provider: projects/<redacted>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider
2022-02-02T17:54:32.7582941Z service_account: <redacted>
2022-02-02T17:54:32.7583257Z create_credentials_file: true
2022-02-02T17:54:32.7583466Z cleanup_credentials: true
2022-02-02T17:54:32.7583686Z access_token_lifetime: 3600s
2022-02-02T17:54:32.7583982Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-02-02T17:54:32.7584258Z id_token_include_email: false
2022-02-02T17:54:32.7584454Z ##[endgroup]
2022-02-02T17:54:34.6517813Z Created credentials file at "/home/runner/work/<redacted>"
2022-02-02T17:54:34.6518355Z
2022-02-02T17:54:34.6545833Z
2022-02-02T17:54:34.7859492Z ##[error]google-github-actions/auth failed with: failed to generate Google Cloud federated token for projects/<redacted>/locations/global/workloadIdentityPools/github-identity-pool/providers/github-provider: {"error":"invalid_request","error_description":"The size of mapped attribute google.subject exceeds the 127 bytes limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 127 bytes."}
2022-02-02T17:54:34.7929396Z Post job cleanup.
2022-02-02T17:54:34.8544512Z Removed exported credentials at "/home/runner/work/<redacted>".
2022-02-02T17:54:34.8635780Z Post job cleanup.
2022-02-02T17:54:34.9804895Z [command]/usr/bin/git version
2022-02-02T17:54:34.9847194Z git version 2.34.1
2022-02-02T17:54:34.9879976Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-02-02T17:54:34.9914118Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-02-02T17:54:35.0139163Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-02-02T17:54:35.0164965Z http.https://github.com/.extraheader
2022-02-02T17:54:35.0175788Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2022-02-02T17:54:35.0208839Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-02-02T17:54:35.0592499Z Cleaning up orphan processes
Additional information
I can upgrade to v0.5.0 and try again, but the changelog did not appear to have anything that would adjust this behavior. Please let me know if you'd like me to do that and report back.
Testing
TL;DR
Testing new issue templates
Expected behavior
No response
Observed behavior
No response
Action YAML
thing: foo
bar: bananaAdditional information
No response
403s trying to run this action
TL;DR
Getting 403s trying to experiment with OIDC-based workload identities
Expected behavior
Action runs successfully, prints list of images, all is merry.
Observed behavior
I get a 403 executing this action:
Error: google-github-actions/auth failed with: Error: Failed to generate Google Cloud access token for [email protected]: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Action YAML
I created a gist here: https://gist.github.com/mattmoor/04a46b31024322b4a95e49cd15a18ccd
The script creates everything and is based on this (thanks to Justin Beckwith): https://github.com/GoogleCloudPlatform/nodejs-docs-samples/blob/main/buildsetup.sh
The other half is the yaml you seek.Additional information
There was already some back-and-forth with @sethvargo on twitter here: https://twitter.com/sethvargo/status/1468785218777665539
I am getting The GitHub Action workflow must specify exactly one of "workload_identity_provider" or "credentials_json" Error !
TL;DR
Even though there is only crdentials i am using for workflow. I am getting following error
The GitHub Action workflow must specify exactly one of "workload_identity_provider" or "credentials_json"!
Expected behavior
The workflow should work as per my understanding
Observed behavior
No response
Action YAML
name: Build and Deploy to Cloud Run
# Defining Triggers.
# In our case : any push to the dev_omipar branch
on:
push:
branches:
- dev_omipar
# Defining ENV vars internal to the flow
env:
PROJECT_ID: datalake-298101
REGION: us-central1
DEPLOYMENT_NAME: omipar-dev
IMAGE: omipar-dev
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [12.x]
steps:
# Checking out code from github repo
- name: Checkout
uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: npm install and test
run: |
npm install
npm test > coverage.txt
env:
CI: true
- uses: papeloto/action-zip@v1
with:
files: coverage/ index.json
dest: result.zip
# Setup gcloud SDK access to cloud resources by refering to github Secrets store
- uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.gcp_credentials }}
project_id: ${{ env.PROJECT_ID }}
# Configure Docker to use the gcloud command-line tool as a helper for authentication
- run: |-
gcloud --quiet auth configure-docker
# upload
- name: 'Upload assets to GCP bucket, CDN'
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.gcp_credentials }}
- uses: google-github-actions/[email protected]
with:
path: coverage
destination: omipar-release-test-case-reports
# Build the Docker image
- name: Build
run: |-
sudo docker build --tag "gcr.io/$PROJECT_ID/$IMAGE:latest" .
# Push the updated build into the GCR registry
- uses: mattes/gce-docker-push-action@v1
with:
creds: ${{ secrets.gcp_credentials }}
src: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE}}:latest
dst: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE}}:latest
# - name: Send mail
# uses: dawidd6/action-send-mail@v3
# with:
# # Required mail server address:
# server_address: smtp.gmail.com
# # Required mail server port:
# server_port: 465
# # Optional (recommended): mail server username:
# username: ${{secrets.USERNAME}}
# # Optional (recommended) mail server password:
# password: ${{secrets.PASSWORD}}
# # Required mail subject:
# subject: Github Actions job result
# # Required recipients' addresses:
# to: [email protected]
# # Required sender full name (address can be skipped):
# from: Mihir Mehta # <[email protected]>
# # Optional whether this connection use TLS (default is true if server_port is 465)
# secure: true
# # Optional plain body:
# body: Build job of ${{github.repository}} completed successfully!
# # Optional HTML body read from file:
# # html_body: file://result.zip
# attachments: result.zip
# # Optional unsigned/invalid certificates allowance:
# ignore_cert: true
# # Optional converting Markdown to HTML (set content_type to text/html too):
# convert_markdown: true
- name: Send email through SendGrid
uses: peter-evans/sendgrid-action@v1
env:
SENDGRID_API_KEY: ${{ secrets.SENDGRID_API_KEY }}
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
service: ${{env.DEPLOYMENT_NAME}}
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE}}:latest
project_id: ${{ env.PROJECT_ID }}
region: ${{env.REGION}}
credentials: ${{ secrets.gcp_credentials }}
flags: --service-account [email protected] --memory 2GiAdditional information
No response
Work with application default credentials and google artifact registry npm credential helper
TL;DR
Not sure if it is already possible or not. But I'd like to use this to work with pushing to an artifact registry private npm repo usiing the credential help approach.
Detailed design
After successfully authentication to Google Cloud I try to use the credential helper approach to be able to connect to an artifact registry private npm repo using the credential helper (https://cloud.google.com/artifact-registry/docs/nodejs/authentication#auth-helper) via the command npx google-artifactregistry-auth which should be able to work with application default credentials but it fails with the error:
npx: installed 47 in 3.842s
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run:
`gcloud auth application-default login`, `gcloud auth login`, or
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
at Object.getCreds (/home/runner/.npm/_npx/1612/lib/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
Is it possible to do this if I also set GOOGLE_APPLICATION_CREDENTIALS to some path? Perhaps the credentials_file_path output of auth?
Additional information
No response
Document and/or support authentication for gsutil
TL;DR
I want to be able to use gsutil within github action using Workload Identity Federation for authentication.
Detailed design
The readme says how to configure gcloud using Workload Identity Federation. However it specifically outline that this method won't work for gsutil and doesn't provide alternative. The google-github-actions/upload-cloud-storage action can be used as a replacement but its functionality is limited compared to gsutil.
ref.: https://github.com/google-github-actions/auth#configuring-gcloud
Additional information
No response
Emit a log message when credentials are exported
TL;DR
Emit a message when credentials are exported, ideally with the exported path. This can help debugging.
Detailed design
No response
Additional information
No response
How to get auth for gsutil
Question
How do I use this to obtain a credential that allows normal use of gsutil in subsequent steps?
An example would be appreciated.
Example code fails as "No such file or directory" if working-directory is modified
TL;DR
README > Examples > Cloud SDK (gcloud) @v0.3.1 fails if working-directory is modified:
Workaround:
defaults:
run:
working-directory: somewhere
# ...
jobs:
job_id:
steps:
# ...
- run: gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
working-directory: . # Add this line. Use the default working-directoryI'm wondering why this happens even the steps.auth.outputs.credentials_file_path returns an absolute path... 🤔
Expected behavior
This is not a bug of this repository. Worth mention in README?
Observed behavior
Reproduction
Action YAML
defaults:
run:
working-directory: somewhere
jobs:
job_id:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: 'google-github-actions/setup-gcloud@master'
with:
project_id: my-project-id
- uses: google-github-actions/[email protected]
id: auth
with:
create_credentials_file: 'true'
workload_identity_provider: projects/1234567890/locations/global/workloadIdentityPools/pool-id/providers/provider-id
service_account: [email protected]
- run: gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"Repository
Additional information
I think this is not a bug. I'm just writing this issue to save someone's time in the future.
How can I allow authentications based on a received OIDC token's attribute
Question
Based on the documentation's example, if I create a Workload Identity Pool Provider using:
gcloud iam workload-identity-pools providers create-oidc "my-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="my-pool" \
--display-name="Demo provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.git_branch=assertion.ref,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
What would be the value of <cond> in the following expression to validate that the request was triggered from the Github repository's master branch (contained in the token's "ref" attribute)?
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/username/repo"
--condition="expression=<cond>"
Compile and check git diff
- Run
npm ciandnpm buildand check a git diff as part of CI - Automated dist build PRs
Version 0.3.1 throws JWT errors
TL;DR
When using version 0.3.1 and performing gcloud authentication, the following error is thrown:
ERROR: gcloud crashed (OAuthError): ('Error code invalid_grant: The audience in JWT does not match the expected values.', '{"error":"invalid_grant","error_description":"The audience in JWT does not match the expected values."}')Expected behavior
gcloud should authenticate without errors
Observed behavior
Using the same exact GitHub action but with version 0.3.0 no errors are thrown.
Reproduction
Action YAML
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: 'true'
workload_identity_provider: 'projects/1234/locations/global/workloadIdentityPools/aaa/providers/bbb'
service_account: '[email protected]'
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
export GOOGLE_APPLICATION_CREDENTIALS="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth configure-docker -q
gcloud auth listRepository
Private repo
How to upgrade from 0.3.1 to 0.4.2?
TL;DR
Getting an error when trying to update from 0.3.1 to 0.4.2. I tried adding a token_format: access_token to the action inputs but the file is not created.
Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/java-trace/java-trace/ba071349bd11a1aa46511d5c': File does not exist.
https://github.com/googleapis/java-trace/runs/4476013621?check_suite_focus=true
Expected behavior
The file is created at the file path set in GOOGLE_APPLICATION_CREDENTIALS
Observed behavior
No file exists at the path set in GOOGLE_APPLICATION_CREDENTIALS
Action YAML
name: integration
on:
push:
branches:
- main
pull_request:
pull_request_target:
types: [labeled]
jobs:
test:
if: ${{ github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' }}
runs-on: ubuntu-latest
permissions:
contents: 'write'
pull-requests: 'write'
id-token: 'write'
steps:
- uses: 'google-github-actions/[email protected]'
with:
workload_identity_provider: 'projects/1016721519174/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
service_account: '[email protected]'
create_credentials_file: 'true'
access_token_lifetime: 300s
token_format: 'access_token'
- uses: actions/checkout@v2
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
- uses: actions/setup-java@v2
with:
distribution: zulu
java-version: 8
- run: java -version
- run: .kokoro/build.sh
env:
JOB_TYPE: integration
GOOGLE_CLOUD_PROJECT: gcloud-devel
- if: ${{ github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' }}
uses: actions/github-script@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
try {
await github.rest.issues.removeLabel({
name: 'actions:force-run',
owner: 'googleapis',
repo: 'java-trace',
issue_number: context.payload.pull_request.number
});
} catch (e) {
if (!e.message.includes('Label does not exist')) {
throw e;
}
}
- if: ${{ github.event_name == 'schedule'}}
run: |
curl https://github.com/googleapis/repo-automation-bots/releases/download/flakybot-1.1.0/flakybot -o flakybot -s -L
chmod +x ./flakybot
./flakybot --repo googleapis/java-trace --commit_hash ${{github.sha}} --build_url https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}Additional information
No response
Invalid value for "audience"
TL;DR
Auth is not working. Invalid value for "audience"
Expected behavior
Working example code
Observed behavior
ERROR: gcloud crashed (OAuthError): ('Error code invalid_request: Invalid value for "audience". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats.', '{"error":"invalid_request","error_description":"Invalid value for \\"audience\\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}')
Action YAML
name: GCP OIDC
on:
push:
jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
environment:
name: dev-cluster
permissions:
contents: 'read'
id-token: 'write'
steps:
# Install gcloud, do not specify authentication.
- uses: 'google-github-actions/setup-gcloud@master'
with:
project_id: ${{ secrets.GCP_PROJECT }}
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: true
#token_format: access_token
workload_identity_provider: ${{ secrets.GCP_OIDC_ID_PROVIDER }}
service_account: ${{ secrets.GCP_OIDC_SA}}
- id: 'gcloud'
name: 'gcloud'
run: |-
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
# Now you can run gcloud commands authenticated as the impersonated service account.
gcloud secrets versions access "latest" --secret "TEST_SECRET"Log output
2021-11-25T14:53:24.4249793Z Found online and idle hosted runner in the current repository's enterprise account that matches the required labels: 'ubuntu-latest'
2021-11-25T14:53:24.4921602Z Waiting for a Hosted runner in the 'enterprise' to pick this job...
2021-11-25T14:53:24.6012107Z Job is waiting for a hosted runner to come online.
2021-11-25T14:53:28.2866434Z Job is about to start running on the hosted runner: GitHub Actions 17 (hosted)
2021-11-25T14:53:32.2336114Z Current runner version: '2.284.0'
2021-11-25T14:53:32.2369044Z ##[group]Operating System
2021-11-25T14:53:32.2370224Z Ubuntu
2021-11-25T14:53:32.2370802Z 20.04.3
2021-11-25T14:53:32.2371363Z LTS
2021-11-25T14:53:32.2371994Z ##[endgroup]
2021-11-25T14:53:32.2372679Z ##[group]Virtual Environment
2021-11-25T14:53:32.2373595Z Environment: ubuntu-20.04
2021-11-25T14:53:32.2374260Z Version: 20211122.1
2021-11-25T14:53:32.2375711Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20211122.1/images/linux/Ubuntu2004-README.md
2021-11-25T14:53:32.2377431Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20211122.1
2021-11-25T14:53:32.2378480Z ##[endgroup]
2021-11-25T14:53:32.2379264Z ##[group]Virtual Environment Provisioner
2021-11-25T14:53:32.2380103Z 1.0.0.0-master-20211123-1
2021-11-25T14:53:32.2380791Z ##[endgroup]
2021-11-25T14:53:32.2382371Z ##[group]GITHUB_TOKEN Permissions
2021-11-25T14:53:32.2383860Z Contents: read
2021-11-25T14:53:32.2384546Z Metadata: read
2021-11-25T14:53:32.2385325Z ##[endgroup]
2021-11-25T14:53:32.2388989Z Prepare workflow directory
2021-11-25T14:53:32.3062100Z Prepare all required actions
2021-11-25T14:53:32.3073335Z Getting action download info
2021-11-25T14:53:32.5454727Z Download action repository 'google-github-actions/setup-gcloud@master' (SHA:b8f95eb7d716bf9a715eafd169162b93f69ed520)
2021-11-25T14:53:34.4862198Z Download action repository 'google-github-actions/[email protected]' (SHA:a61909d048e0be579b6c15b27088d19668493851)
2021-11-25T14:53:34.9136477Z ##[group]Run google-github-actions/setup-gcloud@master
2021-11-25T14:53:34.9137476Z with:
2021-11-25T14:53:34.9138247Z project_id: ***
2021-11-25T14:53:34.9138812Z version: latest
2021-11-25T14:53:34.9139499Z export_default_credentials: false
2021-11-25T14:53:34.9140166Z ##[endgroup]
2021-11-25T14:53:35.9236231Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/ee0bbbc1-8045-4cfb-9e13-77d6069c0a60 -f /home/runner/work/_temp/a40071b6-8738-42d3-ae17-e62ad83ea1ee
2021-11-25T14:53:47.1378275Z Successfully set default project
2021-11-25T14:53:47.1383366Z No credentials provided, skipping authentication
2021-11-25T14:53:47.1638461Z ##[group]Run google-github-actions/[email protected]
2021-11-25T14:53:47.1639147Z with:
2021-11-25T14:53:47.1639665Z create_credentials_file: true
2021-11-25T14:53:47.1641576Z workload_identity_provider: ***
2021-11-25T14:53:47.1642723Z service_account: ***
2021-11-25T14:53:47.1643268Z access_token_lifetime: 3600s
2021-11-25T14:53:47.1644151Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2021-11-25T14:53:47.1645046Z id_token_include_email: false
2021-11-25T14:53:47.1645523Z env:
2021-11-25T14:53:47.1646281Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-11-25T14:53:47.1647064Z ##[endgroup]
2021-11-25T14:53:47.3012596Z
2021-11-25T14:53:47.3054061Z
2021-11-25T14:53:47.3190530Z ##[group]Run gcloud auth login --brief --cred-file="/home/runner/work/_temp/7967505e41544b16b108c538"
2021-11-25T14:53:47.3191684Z �[36;1mgcloud auth login --brief --cred-file="/home/runner/work/_temp/7967505e41544b16b108c538"�[0m
2021-11-25T14:53:47.3192366Z �[36;1m�[0m
2021-11-25T14:53:47.3193135Z �[36;1m# Now you can run gcloud commands authenticated as the impersonated service account.�[0m
2021-11-25T14:53:47.3194147Z �[36;1mgcloud secrets versions access "latest" --secret "TEST_SECRET"�[0m
2021-11-25T14:53:47.3244473Z shell: /usr/bin/bash -e {0}
2021-11-25T14:53:47.3244976Z env:
2021-11-25T14:53:47.3245758Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-11-25T14:53:47.3246860Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/7967505e41544b16b108c538
2021-11-25T14:53:47.3247842Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/7967505e41544b16b108c538
2021-11-25T14:53:47.3248745Z CLOUDSDK_PROJECT: ***
2021-11-25T14:53:47.3249388Z CLOUDSDK_CORE_PROJECT: ***
2021-11-25T14:53:47.3249974Z GCP_PROJECT: ***
2021-11-25T14:53:47.3250522Z GCLOUD_PROJECT: ***
2021-11-25T14:53:47.3251326Z GOOGLE_CLOUD_PROJECT: ***
2021-11-25T14:53:47.3251815Z ##[endgroup]
2021-11-25T14:53:48.1078158Z ERROR: gcloud crashed (OAuthError): ('Error code invalid_request: Invalid value for "audience". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats.', '{"error":"invalid_request","error_description":"Invalid value for \\"audience\\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}')
2021-11-25T14:53:48.1082725Z
2021-11-25T14:53:48.1083439Z If you would like to report this issue, please run the following command:
2021-11-25T14:53:48.1086686Z gcloud feedback
2021-11-25T14:53:48.1089104Z
2021-11-25T14:53:48.1089997Z To check gcloud for common problems, please run the following command:
2021-11-25T14:53:48.1093474Z gcloud info --run-diagnostics
2021-11-25T14:53:48.2073244Z ##[error]Process completed with exit code 1.
2021-11-25T14:53:48.2107427Z Cleaning up orphan processes
Additional information
No response
Usage with terraform: target service indicated by the "audience" parameters is invalid
Hi! Wondering how to use this with terraform (-gcs).
My workflow errors out with:
Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/xxx-terraform-state/o?alt=json&delimiter=%2F&pageToken=&prefix=terraform%2Fstate%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
Workflow:
jobs:
test:
permissions:
contents: read
id-token: 'write'
name: terraform
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v2
-
uses: hashicorp/setup-terraform@v1
-
name: Terraform fmt
run: terraform fmt -check=true
-
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
access_token_lifetime: 900s
workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/main-pool/providers/github
service_account: [email protected]
create_credentials_file: true
activate_credentials_file: true
-
name: Terraform Init
run: terraform initCustomize audience to provider ID
TL;DR
During the beta, the aud parameter in the GitHub token had to be hardcoded to "sigstore". GitHub is rolling out customizable audiences.
We should update the default value for the aud parameter to the Workload Identity Provider ID (full name). It currently defaults to "sigstore" in the code. We also need to update the instructions to remove the custom audience parameter.
Unable to authenticate for gcloud alpha storage
TL;DR
When trying to use gcloud alpha storage to download from a bucket after running auth with Workload Identity Federation and setup-gcloud I get an authentication error. When running the same command locally with key authentication I do not get the error.
Expected behavior
gcloud downloads the file from my bucket
Observed behavior
Authentication error
Action YAML
name: Docker Build
on:
push:
branches: [ main, dev/main ]
pull_request:
branches: [ main, dev/main ]
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
GAR_LOCATION: us-central1
REPOSITORY: aemotrics
IMAGE: aemotrics_predict
jobs:
docker-build:
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}
service_account: ${{ secrets.GCP_SA }}
- name: Set up Cloud SDK
uses: 'google-github-actions/setup-gcloud@v0'
- name: install deps
run: sudo python3 -m pip install google-crc32c --target /opt/hostedtoolcache/gcloud/370.0.0/x64/lib/third_party && sudo python3 -m pip install build && gcloud --quiet auth list
- name: Get Model
run: gcloud --quiet alpha storage cp gs://aemotrics_models/Aemotrics_V3-Nate-2021-12-20_pruned.tar.gz ./microservice
- name: Build Aemotrics Wheel
run: python3 -m build -w && mkdir microservice/wheel && cp dist/* microservice/wheel/
- name: Build the Docker image
run: docker build microservice --tag "$IMAGE:$GITHUB_SHA"
- name: Publish
run: |-
docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"Log output
There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
Additional information
when running the same command on my local machine from the same service account with key authentication I do not get the error.
Dependabot/Auth Problem
TL;DR
When Dependabot triggers a workflow that has the auth action, it receives the following error and fails:
Error: Action failed with error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variableWhen an authenticated user re-runs the workflow, the auth action is successful.
permissions in the workflow:
permissions:
contents: 'read'
id-token: 'write'Expected behavior
Auth action should be able to find the env var and succeed
Observed behavior
Auth action is failing.
Action YAML
# Configure Authenticate to Google Cloud using OIDC and generate an access token.
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: true
activate_credentials_file: true
workload_identity_provider: redacted
service_account: redactedAdditional information
NOTE: I am aware this is likely a problem with Dependabot that requires a change on their end to resolve the issue, or is a permissions issue that I need to fix in the auth yaml. I would greatly appreciate any help in pointing me in the right direction to resolving this, even though I am fairly certain this isn't a bug in the auth action. Thank you in advance for any help in resolving this.
Unable to authenticate using job_workflow_ref claim
TL;DR
My goal is to be able to authenticate from a shared workflow repository so that any reusable workflow hosted in a particular repository is allowed to authenticate. It currently fails when the principalSet is set to:
iam.googleapis.com/projects/xxxxxxxx/locations/global/workloadIdentityPools/<POOL>/attribute.job_workflow_ref/<GITHUB_ORG>/<GITHUB_REPO>
Expected behavior
Authenticate when called by any reusable workflow within shared workflow repository.
Observed behavior
ERROR: (gcloud.services.list) There was a problem refreshing your current auth tokens:
('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
')
Action YAML
name: List services in GCP
on:
workflow_call:
permissions:
id-token: write
jobs:
Get_OIDC_ID_token:
runs-on: ubuntu-latest
steps:
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: 'true'
workload_identity_provider: <REMOVED>
service_account: '<REMOVED>'
- id: 'gcloud'
name: 'gcloud'
run: |-
cat ${{ steps.auth.outputs.credentials_file_path }}
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud services list --project <Google_PROJECT>Log output
## Set up job
2022-01-22T21:49:41.8074216Z Current runner version: '2.286.1'
2022-01-22T21:49:41.8102347Z ##[group]Operating System
2022-01-22T21:49:41.8102924Z Ubuntu
2022-01-22T21:49:41.8103144Z 20.04.3
2022-01-22T21:49:41.8103400Z LTS
2022-01-22T21:49:41.8103612Z ##[endgroup]
2022-01-22T21:49:41.8103900Z ##[group]Virtual Environment
2022-01-22T21:49:41.8104232Z Environment: ubuntu-20.04
2022-01-22T21:49:41.8104527Z Version: 20220111.1
2022-01-22T21:49:41.8104938Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220111.1/images/linux/Ubuntu2004-Readme.md
2022-01-22T21:49:41.8105502Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220111.1
2022-01-22T21:49:41.8105897Z ##[endgroup]
2022-01-22T21:49:41.8106202Z ##[group]Virtual Environment Provisioner
2022-01-22T21:49:41.8106973Z 1.0.0.0-main-20211214-1
2022-01-22T21:49:41.8107258Z ##[endgroup]
2022-01-22T21:49:41.8107817Z ##[group]GITHUB_TOKEN Permissions
2022-01-22T21:49:41.8108380Z Metadata: read
2022-01-22T21:49:41.8112622Z Secret source: Actions
2022-01-22T21:49:41.8113149Z Prepare workflow directory
2022-01-22T21:49:41.9111972Z Prepare all required actions
2022-01-22T21:49:41.9334113Z Getting action download info
2022-01-22T21:49:42.4022216Z Download action repository 'google-github-actions/[email protected]' (SHA:c6c22902f6af237edb96ede5f25a00e864589b2f)
## Authenticate to GCP
2022-01-22T21:49:42.9917432Z ##[group]Run google-github-actions/[email protected]
2022-01-22T21:49:42.9918158Z with:
2022-01-22T21:49:42.9918499Z create_credentials_file: true
2022-01-22T21:49:42.9919176Z workload_identity_provider: <REDACTED>
2022-01-22T21:49:42.9920142Z service_account: <REDACTED>
2022-01-22T21:49:42.9920660Z cleanup_credentials: true
2022-01-22T21:49:42.9921013Z access_token_lifetime: 3600s
2022-01-22T21:49:42.9921464Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-01-22T21:49:42.9922237Z id_token_include_email: false
2022-01-22T21:49:42.9922608Z ##[endgroup]
2022-01-22T21:49:43.2962882Z Created credentials file at "/home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8"
2022-01-22T21:49:43.2964133Z
2022-01-22T21:49:43.2994907Z
## GCloud
2022-01-22T21:49:43.3248303Z ##[group]Run cat /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3248948Z cat /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3249466Z gcloud auth login --brief --cred-file="/home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8"
2022-01-22T21:49:43.3249902Z gcloud services list --project <REDACTED>
2022-01-22T21:49:43.3300934Z shell: /usr/bin/bash -e {0}
2022-01-22T21:49:43.3301480Z env:
2022-01-22T21:49:43.3301835Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3302497Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3303065Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/<REDACTED>/86c81f08fc86e6e2a4134be8
2022-01-22T21:49:43.3303488Z CLOUDSDK_PROJECT: <REDACTED>
2022-01-22T21:49:43.3303780Z CLOUDSDK_CORE_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304030Z GCP_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304351Z GCLOUD_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304632Z GOOGLE_CLOUD_PROJECT: <REDACTED>
2022-01-22T21:49:43.3304890Z ##[endgroup]
2022-01-22T21:49:49.4272933Z ERROR: (gcloud.services.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
2022-01-22T21:49:49.4276954Z Please run:
2022-01-22T21:49:49.4277468Z
2022-01-22T21:49:49.4277686Z $ gcloud auth login
2022-01-22T21:49:49.4277847Z
2022-01-22T21:49:49.4278113Z to obtain new credentials.
2022-01-22T21:49:49.4278283Z
2022-01-22T21:49:49.4278522Z If you have already logged in with a different account:
2022-01-22T21:49:49.4278738Z
2022-01-22T21:49:49.4279219Z $ gcloud config set account ACCOUNT
2022-01-22T21:49:49.4279393Z
2022-01-22T21:49:49.4279620Z to select an already authenticated account to use.
2022-01-22T21:49:49.5226463Z {"type":"external_account","audience":"//iam.googleapis.com/projects/<REDACTED>/locations/global/workloadIdentityPools/github-pool/providers/github-provider","subject_token_type":"urn:ietf:params:oauth:token-type:jwt","token_url":"https://sts.googleapis.com/v1/token","service_account_impersonation_url":"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<REDACTED>-automation@<REDACTED>.iam.gserviceaccount.com:generateAccessToken","credential_source":{"url":"<REDACTED>","headers":{"Authorization":"***"},"format":{"type":"json","subject_token_field_name":"value"}}}
2022-01-22T21:49:49.5240948Z ##[error]Process completed with exit code 1.Additional information
No response
Emit a better error when OIDC token injection fails
TL;DR
Right now we emit:
Error: google-github-actions/auth failed with: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
We should catch the failure and emit something similar to what we do via secrets today, to hint to the user to set the permissions block. We also need to scrub the Error: prefixes from that message if possible.
Expected behavior
No response
Observed behavior
No response
Action YAML
N/AAdditional information
No response
Configurable Working Directory for Exported Credential
TL;DR
I'd like to put the credential automatically generated by this action into a different directory from GITHUB_WORKSPACE.
Detailed design
steps:
- name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
project_id: ${{ inputs.google-cloud-project }}
service_account: ${{ inputs.google-cloud-service-account }}
workload_identity_provider: ${{ inputs.google-cloud-workload-identity-provider }}
working_directory: ${{ env.home }} <-- Possible new parameter to change working directory of the action.Additional information
Although the credentials are short-lived, placing them in GITHUB_WORKSPACE creates some additional opportunities to accidentally expose the credential for a period of time.
I managed to do this accidentally a few days ago. Here's what happened:
- Ran the auth step to generate a token
- Ran a step to run tests on Firebase test lab
- Ran a step to upload the test results using a bash script with a
zipcommand. Due to a typo in thezipcommand, it compressed the entireGITHUB_WORKSPACEdirectory instead of just the output files I wanted it to collect.
Placing the secrets in a different directory, like HOME would have avoided this issue. GitHub Actions steps use a default working directory of GITHUB_WORKSPACE, so including the secret in that path makes it more likely that downstream steps will accidentally leak it.
I don't have specific requirements on the exact implementation. An optional parameter for the working directory would been reasonable option. This would keep backwards compatibility with existing users, while granting flexibility for where the secret is written.
gsutil isn't authenticated using a service account key
TL;DR
gsutil is not authenticated when using auth action
Not fair to call this a bug, I suspect user error is involved somewhere, but Seth Vargo suggested I post this question here (see tweet)
If someone can explain how to accomplish this I'd be very grateful.
Expected behavior
using google-github-actions/auth would provide authentication for gsutil
Observed behavior
gcloud is authenticated but gsutil is not.
The provided action yaml contains 2 jobs. Both of them run a gcloud command and a gsutil command. One of them authenticates using the old mechanism using google-github-actions/setup-gcloud, the other authenticates using google-github-actions/auth.
The one that authenticates using google-github-actions/setup-gcloud works
The one that authenticates using google-github-actions/auth fails on the gsutil command with error
Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket
Action YAML
name: demo-auth-issue
on:
push:
workflow_dispatch:
jobs:
auth-using-auth:
runs-on: ubuntu-latest
steps:
- id: auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.SA_JSON_KEY }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v0
- name: Install gcloud alpha
shell: bash
run: |
gcloud components install alpha --quiet
- name: 'Use gcloud CLI'
run: gcloud alpha storage ls gs://dev-dp-braze-payloads
- name: run gsutil
shell: bash
run: |
gsutil du -sh gs://dev-dp-braze-payloads
auth-using-setup-gcloud:
runs-on: ubuntu-latest
steps:
- id: auth
uses: google-github-actions/setup-gcloud@v0
with:
service_account_key: ${{ secrets.SA_JSON_KEY }}
- name: Install gcloud alpha
shell: bash
run: |
gcloud components install alpha --quiet
- name: 'Use gcloud CLI'
run: gcloud alpha storage ls gs://dev-dp-braze-payloads
- name: run gsutil
shell: bash
run: |
gsutil du -sh gs://dev-dp-braze-payloadsLog output
2022-02-03T14:05:04.4964520Z Waiting for a runner to pick up this job...
2022-02-03T14:05:05.2490074Z Job is waiting for a hosted runner to come online.
2022-02-03T14:05:11.4659947Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2022-02-03T14:05:14.9432200Z Current runner version: '2.287.1'
2022-02-03T14:05:14.9468079Z ##[group]Operating System
2022-02-03T14:05:14.9468980Z Ubuntu
2022-02-03T14:05:14.9469621Z 20.04.3
2022-02-03T14:05:14.9470116Z LTS
2022-02-03T14:05:14.9470647Z ##[endgroup]
2022-02-03T14:05:14.9471822Z ##[group]Virtual Environment
2022-02-03T14:05:14.9472517Z Environment: ubuntu-20.04
2022-02-03T14:05:14.9473223Z Version: 20220131.1
2022-02-03T14:05:14.9474041Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220131.1/images/linux/Ubuntu2004-Readme.md
2022-02-03T14:05:14.9475054Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220131.1
2022-02-03T14:05:14.9475858Z ##[endgroup]
2022-02-03T14:05:14.9476452Z ##[group]Virtual Environment Provisioner
2022-02-03T14:05:14.9477088Z 1.0.0.0-main-20220128-1
2022-02-03T14:05:14.9477749Z ##[endgroup]
2022-02-03T14:05:14.9479639Z ##[group]GITHUB_TOKEN Permissions
2022-02-03T14:05:14.9480779Z Actions: write
2022-02-03T14:05:14.9481602Z Checks: write
2022-02-03T14:05:14.9482270Z Contents: write
2022-02-03T14:05:14.9482839Z Deployments: write
2022-02-03T14:05:14.9483398Z Discussions: write
2022-02-03T14:05:14.9484094Z Issues: write
2022-02-03T14:05:14.9484640Z Metadata: read
2022-02-03T14:05:14.9485215Z Packages: write
2022-02-03T14:05:14.9485769Z Pages: write
2022-02-03T14:05:14.9486336Z PullRequests: write
2022-02-03T14:05:14.9486997Z RepositoryProjects: write
2022-02-03T14:05:14.9487702Z SecurityEvents: write
2022-02-03T14:05:14.9488255Z Statuses: write
2022-02-03T14:05:14.9488964Z ##[endgroup]
2022-02-03T14:05:14.9493961Z Secret source: Actions
2022-02-03T14:05:14.9494739Z Prepare workflow directory
2022-02-03T14:05:15.0633087Z Prepare all required actions
2022-02-03T14:05:15.0890430Z Getting action download info
2022-02-03T14:05:15.3135922Z Download action repository 'google-github-actions/[email protected]' (SHA:a61909d048e0be579b6c15b27088d19668493851)
2022-02-03T14:05:15.6628847Z Download action repository 'google-github-actions/setup-gcloud@v0' (SHA:e0f83f24f541c30f1e9fe3c966963a10b8e647f5)
2022-02-03T14:05:16.1005374Z ##[group]Run google-github-actions/[email protected]
2022-02-03T14:05:16.1006150Z with:
2022-02-03T14:05:16.1014569Z credentials_json: ***
2022-02-03T14:05:16.1015245Z create_credentials_file: true
2022-02-03T14:05:16.1015907Z access_token_lifetime: 3600s
2022-02-03T14:05:16.1016667Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-02-03T14:05:16.1017393Z id_token_include_email: false
2022-02-03T14:05:16.1017962Z ##[endgroup]
2022-02-03T14:05:16.3316185Z
2022-02-03T14:05:16.3390601Z
2022-02-03T14:05:16.3581713Z ##[group]Run google-github-actions/setup-gcloud@v0
2022-02-03T14:05:16.3582410Z with:
2022-02-03T14:05:16.3582832Z version: latest
2022-02-03T14:05:16.3583325Z export_default_credentials: false
2022-02-03T14:05:16.3583863Z cleanup_credentials: true
2022-02-03T14:05:16.3584334Z env:
2022-02-03T14:05:16.3584928Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:16.3585702Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:16.3586409Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3587083Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3587742Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3588391Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3589048Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:16.3589625Z ##[endgroup]
2022-02-03T14:05:17.8140059Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/af936b24-50c8-4b0b-8703-126bd1db6dec -f /home/runner/work/_temp/30c3fc13-a60c-4add-81f0-d00f3b894f80
2022-02-03T14:05:28.9180485Z No credentials detected, skipping authentication
2022-02-03T14:05:28.9404651Z ##[group]Run gcloud components install alpha --quiet
2022-02-03T14:05:28.9405309Z �[36;1mgcloud components install alpha --quiet�[0m
2022-02-03T14:05:28.9480074Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail ***0***
2022-02-03T14:05:28.9480580Z env:
2022-02-03T14:05:28.9481060Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:28.9481687Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:28.9482385Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9482890Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9483526Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9484144Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9484783Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:28.9485456Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-02-03T14:05:28.9486093Z ##[endgroup]
2022-02-03T14:05:31.0634545Z
2022-02-03T14:05:31.0640518Z
2022-02-03T14:05:31.0641335Z Your current Cloud SDK version is: 371.0.0
2022-02-03T14:05:31.0642590Z Installing components from version: 371.0.0
2022-02-03T14:05:31.0643537Z
2022-02-03T14:05:31.0673968Z ┌──────────────────────────────────────────────┐
2022-02-03T14:05:31.0676778Z │ These components will be installed. │
2022-02-03T14:05:31.0679265Z ├───────────────────────┬────────────┬─────────┤
2022-02-03T14:05:31.0681438Z │ Name │ Version │ Size │
2022-02-03T14:05:31.0683297Z ├───────────────────────┼────────────┼─────────┤
2022-02-03T14:05:31.0695992Z │ gcloud Alpha Commands │ 2022.01.28 │ < 1 MiB │
2022-02-03T14:05:31.0697590Z └───────────────────────┴────────────┴─────────┘
2022-02-03T14:05:31.0698543Z
2022-02-03T14:05:31.3006678Z For the latest full release notes, please visit:
2022-02-03T14:05:31.3007686Z https://cloud.google.com/sdk/release_notes
2022-02-03T14:05:31.3008207Z
2022-02-03T14:05:31.3071781Z ╔════════════════════════════════════════════════════════════╗
2022-02-03T14:05:31.3073227Z ╠═ Creating update staging area ═╣
2022-02-03T14:05:34.9390965Z ╚════════════════════════════════════════════════════════════╝
2022-02-03T14:05:35.2212766Z ╔════════════════════════════════════════════════════════════╗
2022-02-03T14:05:35.2213854Z ╠═ Installing: gcloud Alpha Commands ═╣
2022-02-03T14:05:35.3278311Z ╚════════════════════════════════════════════════════════════╝
2022-02-03T14:05:35.3422977Z ╔════════════════════════════════════════════════════════════╗
2022-02-03T14:05:35.3424293Z ╠═ Creating backup and activating new installation ═╣
2022-02-03T14:05:35.3425456Z ╚════════════════════════════════════════════════════════════╝
2022-02-03T14:05:35.3446821Z
2022-02-03T14:05:55.1362650Z Performing post processing steps...
2022-02-03T14:05:55.1363493Z ..............................................................................done.
2022-02-03T14:05:55.1453454Z
2022-02-03T14:05:55.1453764Z Update done!
2022-02-03T14:05:55.1454027Z
2022-02-03T14:05:55.1454305Z WARNING: There are other instances of Google Cloud tools on your system PATH.
2022-02-03T14:05:55.1455113Z Please remove the following to avoid confusion or accidental invocation:
2022-02-03T14:05:55.1455436Z
2022-02-03T14:05:55.1455932Z /usr/lib/google-cloud-sdk/bin/gsutil
2022-02-03T14:05:55.1456436Z /usr/lib/google-cloud-sdk/bin/anthoscli
2022-02-03T14:05:55.1457009Z /usr/lib/google-cloud-sdk/bin/docker-credential-gcloud
2022-02-03T14:05:55.1457537Z /usr/lib/google-cloud-sdk/bin/bq
2022-02-03T14:05:55.1458080Z /usr/lib/google-cloud-sdk/bin/git-credential-gcloud.sh
2022-02-03T14:05:55.1458610Z /usr/lib/google-cloud-sdk/bin/gcloud
2022-02-03T14:05:55.1458850Z
2022-02-03T14:05:55.1458971Z
2022-02-03T14:05:55.2692841Z ##[group]Run gcloud alpha storage ls gs://dev-dp-braze-payloads
2022-02-03T14:05:55.2693490Z �[36;1mgcloud alpha storage ls gs://dev-dp-braze-payloads�[0m
2022-02-03T14:05:55.2758198Z shell: /usr/bin/bash -e ***0***
2022-02-03T14:05:55.2758748Z env:
2022-02-03T14:05:55.2759189Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:55.2759765Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:55.2760444Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2761131Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2761966Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2762446Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2762940Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:55.2763452Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-02-03T14:05:55.2763940Z ##[endgroup]
2022-02-03T14:05:56.5288652Z ##[group]Run gsutil du -sh gs://dev-dp-braze-payloads
2022-02-03T14:05:56.5289243Z �[36;1mgsutil du -sh gs://dev-dp-braze-payloads�[0m
2022-02-03T14:05:56.5352449Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail ***0***
2022-02-03T14:05:56.5353402Z env:
2022-02-03T14:05:56.5354381Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:56.5355039Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/_temp/4e13689b43732933b32cb83c
2022-02-03T14:05:56.5355640Z CLOUDSDK_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5356273Z CLOUDSDK_CORE_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5356773Z GCP_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5357259Z GCLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5357791Z GOOGLE_CLOUD_PROJECT: msm-groupdata-admin-data-eng
2022-02-03T14:05:56.5358321Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-02-03T14:05:56.5359030Z ##[endgroup]
2022-02-03T14:05:58.1419737Z ServiceException: 401 Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.
2022-02-03T14:05:58.3202905Z ##[error]Process completed with exit code 1.
2022-02-03T14:05:58.3269960Z Post job cleanup.
2022-02-03T14:05:58.3798496Z Skipping credential cleanup - "export_default_credentials" is false.
2022-02-03T14:05:58.4028518Z Cleaning up orphan processes
Additional information
don't think so.
Failed authenticating user
TL;DR
Unexpected result when trying to authenticate GCP service account using google-github-actions/auth@v0 module.
Expected behavior
It should be successfully authenticated the service account
Observed behavior
Got this error instead "google-github-actions/auth failed with: failed to parse service account key JSON credentials: unexpected token H in JSON at position 0"
Action YAML
name: CI/CD to Google Cloud Run
on:
push:
branches:
- main
env:
CLOUD_RUN_REGION: asia-southeast2
GCP_PROJECT_ID: ${{secrets.GCP_PROJECT_ID}}
SERVICE_ACCOUNT_JSON: ${{secrets.SERVICE_ACCOUNT_JSON}}
jobs:
main:
name: Continous Deployment to Google Cloud Run
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v2
- id: auth
name: Authenticate service account
uses: google-github-actions/auth@v0
with:
credentials_json: $SERVICE_ACCOUNT_JSON
- id: gcloud
name: Setup Google Cloud SDK
uses: google-github-actions/setup-gcloud@v0
with:
project_id: $GCP_PROJECT_ID
- id: deploy
name: Deploy API to Google Cloud Run
run: gcloud builds submit -f deployments/cloudbuild.staging.yamlAdditional information
I just copy paste the whole generated service account keys json to Github secrets, still got the error. Any solution for this?
Thanks.
Readme example not working
TL;DR
This section seems to be not workings as ${{ steps.auth.outputs.access_token }} = ""
- name: Access secret run: |- curl https://secretmanager.googleapis.com/v1/projects/662974556749/secrets/tester-secret \ --header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
Expected behavior
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
this should insert the access token from from the previous step
Observed behavior
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
is resulting in this output in the logs:
Run curl https://secretmanager.googleapis.com/v1/projects/***/secrets/*** \ curl https://secretmanager.googleapis.com/v1/projects/***/secrets/***\ --header "Authorization: Bearer "
Action YAML
`
name: Test Yaml File
on:
push:
branches:
- staging
jobs:
test:
name: Test gcloud Auth
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- name: Github Action Manager
uses: actions/checkout@v2
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
workload_identity_provider: projects/***/locations/global/workloadIdentityPools/***/providers/***
service_account: ***@***.iam.gserviceaccount.com
# Example of using the token:
- name: Access secret
run: |-
curl https://secretmanager.googleapis.com/v1/projects/***/secrets/*** \
--header "Authorization: Bearer ${{ steps.auth.outputs.access_token }}"
`Additional information
No response
Need the ability to know on which branch a tag was pushed
TL;DR
Currenty the ref token attribute seems to be used to indicate on which branch a change was made in the case of a commit (ex. "ref": "refs/heads/develop"), and to get the name of the tag when a tag is pushed (ex. "ref": "refs/tags/my-tag").
So in the case of a tag, it's currently not possible to know on which branch it was pushed. On the Workload Identity Pool Provider side, we would like to be able to validate that a tag was pushed on the a repository's master branch in order to grant auth access on the received token.
Or else anybody could create a feature branch modifying a Github Action CI/CD deployment for example, and pushing a tag on their feature branch would allow them to actually execute the modified pipeline.
This lack of functionality is currently a blocker for us to be able to grant token access on newly created tags.
Monorepo triggered github actions and finegrained controls
TL;DR
We can scope workload identity for a github repo to the repo. Would it be possible to scope it to the name of the github action, or some other manner to isolate within a github repo?
Detailed design
We configure two components for github actions:
- enable workload identity for github actions in infrastructure monorepo (and give permissions).
- configure github action, in a different monorepo, that uses that service account.
I would like platform/ infra repo to enable service_account_a can use workload identity in repo_a, but only for github_action_a, and possibly based on other conditional triggers such as file changes or limit to a branch.
In our monorepo, without this feature it would be possible for a non-maintainer of github_action_a to create a new github action, that uses these permissions.
Additional information
No response
Is it possible to manipulate Google Workspace domains with domain-wide access via Workload Identity Federation?
As the title suggest, I'm wondering the way to access API in Google Workspace domain via Workload Identity Federation?
The service account is already set up and successfully connected Google Workspace, if request is made with downloaded service account key.
I thought delegates input option may be the way to go, but while it gives me the access token, it is not for the Google Workspace API as following message suggests.
panic: failed listing groups: googleapi: Error 404: Domain not found., notFound
I'm not even sure it is possible in the first place, so allow me to raise the issue with blank template.
Thanks in advance!
Generate access_token from json credentials?
Hi,
Is it possible to generate access_token from credentials_json?
Here is what I am trying to do:
# ...
jobs:
ci:
name: Continuous integration
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Authenticate to Google Cloud
id: gcp-auth
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.gcp-sa-key }}
token_format: 'access_token'
access_token_lifetime: '300s'but I am getting:
Error: Action failed with error: Error: Failed to generate Google Cloud access token for ***
"error": ***
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
***
***
Additional information: above account has role Service Account Token Creator.
Thanks.
Consider publishing a v1 tag
TL;DR
Many Actions (including the GitHub ones) publish a vX tag and force-push to that tag on changes. Instead of going around and updating READMEs, I wonder if we're better off creating a v1 tag and force-pushing there (in addition to tagged releases).
Detailed design
git tag -a -s -m v0.x.y v0.x.y && git push origin refs/tags/v0.x.y
git tag -d v1 && git tag -a -s -m v1 v1 && git push -f origin refs/tags/v1Additional information
No response
Version bumper
TL;DR
Hi @sethvargo,
I noticed that you are creating a workflow for the release of new versions. We took this workflow as an example with minor modifications https://github.com/haya14busa/action-bumpr/blob/master/.github/workflows/release.yml
I highly recommend it.
Detailed design
No response
Additional information
No response
Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
TL;DR
I've updated my workflow due to the deprecation of service_account_key in the google-github-actions/setup-gcloud action.
When running my workflow, the auth step fails after 50-55s resulting in the stacktrace shown below.
Expected behavior
The authentication should not end up with a failure.
Observed behavior
Auth step fails with following error..
FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
<--- Last few GCs --->
[409:0x3a26080] 49157 ms: Scavenge 2029.8 (2034.9) -> 2029.7 (2040.2) MB, 12.8 / 0.0 ms (average mu = 0.245, current mu = 0.242) allocation failure
[409:0x3a26080] 49175 ms: Scavenge 2032.9 (2040.2) -> 2033.2 (2040.9) MB, 16.1 / 0.0 ms (average mu = 0.245, current mu = 0.242) allocation failure
[409:0x3a26080] 49193 ms: Scavenge 2033.6 (2040.9) -> 2033.3 (2051.9) MB, 17.2 / 0.0 ms (average mu = 0.245, current mu = 0.242) allocation failure
<--- JS stacktrace --->
==== JS stack trace =========================================
0: ExitFrame [pc: 0x1374fd9]
Security context: 0x0a48f43c08a1 <JSObject>
1: fromBase64(aka fromBase64) [0x4e37389aad1] [/home/github/_work/_actions/google-github-actions/auth/v0.4.1/dist/index.js:~665] [pc=0x3540958c3e9d](this=0x00c3800004a9 <undefined>,0x3242bf7acf31 <Very long string[28855]>)
2: parseServiceAccountKeyJSON [0x4e37389abb1] [/home/github/_work/_actions/google-github-actions/auth/v0.4.1/dist/index.js:1816] [byte...
1: 0x9da7c0 node::Abort() [/home/github/externals/node12/bin/node]
2: 0x9db976 node::OnFatalError(char const*, char const*) [/home/github/externals/node12/bin/node]
3: 0xb39f1e v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [/home/github/externals/node12/bin/node]
4: 0xb3a299 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [/home/github/externals/node12/bin/node]
5: 0xce5635 [/home/github/externals/node12/bin/node]
6: 0xce5cc6 v8::internal::Heap::RecomputeLimits(v8::internal::GarbageCollector) [/home/github/externals/node12/bin/node]
7: 0xcf1b5a v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) [/home/github/externals/node12/bin/node]
8: 0xcf2a65 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [/home/github/externals/node12/bin/node]
9: 0xcf410f v8::internal::Heap::HandleGCRequest() [/home/github/externals/node12/bin/node]
10: 0xca30f4 v8::internal::StackGuard::HandleInterrupts() [/home/github/externals/node12/bin/node]
11: 0xff1af7 v8::internal::Runtime_StackGuard(int, unsigned long*, v8::internal::Isolate*) [/home/github/externals/node12/bin/node]
12: 0x1374fd9 [/home/github/externals/node12/bin/node]..which results in the workflow to fail.
Action YAML
- name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
- name: Set up Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ secrets.GOOGLE_PROJECT_ID }}
export_default_credentials: true
version: 344.0.0Additional information
I'm running a self-hosted GitHub Runner with version 2.285.1 in a GKE cluster.
Could this maybe be somehow related to the #73 issue?
Optional `audience` key is invalid when unspecified
TL;DR
The docs here say audience is an optional key in the GitHub actions configuration. But when I run my action without the key specified, I get the following error:
Expected behavior
To run successfully without specifying an audience key.
Observed behavior
It says the audience key is invalid.
Action YAML
name: Deploy - Production
on:
workflow_dispatch:
inputs:
deployables:
description: 'backend/client/dispatch.yaml'
default: 'backend client'
required: true
message:
description: 'What updates are you deploying?'
required: true
concurrency: production_environment
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Disable client deploys
if: contains(github.event.inputs.deployables, 'client')
run: |
# echo "::error::The client cannot be deployed at this time. See Slack for details."
# exit 1
- name: Disable backend deploys
if: contains(github.event.inputs.deployables, 'backend')
run: |
# echo "::error::The backend cannot be deployed at this time. See Slack for details."
# exit 1
- name: Checkout code
uses: actions/checkout@v2
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
workload_identity_provider:
${{ secrets.WORKLOAD_ID_PROVIDER_PRODUCTION }}
service_account: ${{ secrets.SERVICE_ACCOUNT_PRODUCTION }}
- name: Set up Cloud SDK
uses: google-github-actions/[email protected]
- name: Generate version tag
run: |
commit_hash=$(git rev-parse --short=7 HEAD)
echo "version_tag=$(TZ=:UTC date +%Y-%m-%dt%H-%M-%Sutc-$commit_hash)" >> $GITHUB_ENV
- name: Deploy
run: |
${GITHUB_WORKSPACE}/deploy --production --message="${{ github.event.inputs.message }}" --actor="$GITHUB_ACTOR" --version=${{ env.version_tag }} ${{ github.event.inputs.deployables }}
- name: Create Release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ env.version_tag }}
release_name: ${{ github.event.inputs.message }}
draft: false
prerelease: falseAdditional information
This works fine as configured in our staging environment, which is a separate Google Cloud project.
Cannot push an image to Google Docker Artifact Registry
TL;DR
Replaced the use of https://github.com/docker/login-action with the current action to authenticate to a Google Docker Artifact registry and I can't seem to push an image to it.
Proof that my service account has access to the registry:
Expected behavior
Able to push a docker image to Google Artifact Registry
Observed behavior
Getting the following error:
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/prj-d-perso-fleroux-4094/locations/northamerica-northeast1/repositories/fleroux-docker" (or it may not exist)
Action YAML
---
name: Authenticate to Artifact registry using Identity Federation
on:
push:
jobs:
test-oidc:
runs-on: ubuntu-latest
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
WORKLOAD_IDENTITY_POOL_PROVIDER: 'projects/506790059452/locations/global/workloadIdentityPools/github-pool/providers/github-pool-provider'
SERVICE_ACCOUNT: '[email protected]'
# Add "id-token" with the intended permissions.
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout codebase
uses: actions/checkout@v2
- name: Authenticate to Google
id: 'auth'
uses: 'google-github-actions/[email protected]'
with:
token_format: 'id_token'
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}
id_token_audience: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
create_credentials_file: true
- name: Build and push Docker
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
cd docker_test
docker build -t northamerica-northeast1-docker.pkg.dev/prj-d-perso-fleroux-4094/fleroux-docker/hello:latest .
docker image push northamerica-northeast1-docker.pkg.dev/prj-d-perso-fleroux-4094/fleroux-docker/hello
shell: bashAdditional information
No response
An example for accessing a private repo would be handy...
First off, this is great! Very excited about getting rid of our JSON keys and migrating to this! That said, I ran into an issue when trying to get this working with private git repos, and wanted to offer to add a usage example. The main issue I ran into is that when I set permissions in the workflow, it revokes all the default permissions. I'd push a PR, but I don't have permission, but is we added this to the README it might help folks like me who are using Actions with Private Repos:
jobs:
run:
# ...
# Add "id-token" with the intended permissions.
# NOTE: This will revoke all default token permissions
# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
id-token: 'write'Allow ability to create workload identity token in alternative path
TL;DR
There appears to be no way to create the token in a specific location, which makes the workflow identity something you should not use when using github actions to create PRs.
https://github.com/google-github-actions/auth/blob/main/src/main.ts#L136
Detailed design
name: "Generate Metadata"
on:
workflow_dispatch: {}
jobs:
generate-metadata
name: Generate Metadata
runs-on: ubuntu-20.04
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Check out repository code
uses: actions/checkout@v2
with:
ref: main # restrict this run to only main branch, workflow_dispatch does not support limiting to a branch
- name: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/<projectNumber>/locations/global/workloadIdentityPools/<poolname>/providers/<providerName>'
service_account: '<serviceAccount>@<projectID>.iam.gserviceaccount.com'
# further step to modify contents in repo
# another step to generate token to create PR
# another step to create PRIn that last step, a PR will be created with the expected changes, but the token will be included in the PR.
In another google module, an argument is exposed to specify a different path that allows a consumer to specify where the key should be placed.
- name: Setup Google Cloud SDK
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
credentials_file_path: /tmp/gcp-credentials.jsonIf possible please expose a similar option.
Additional information
No response
Changing from `uses: google-github-actions/setup-gcloud@master` to `uses: 'google-github-actions/auth@v0'` breaks login for firebase test lab
TL;DR
Changing from uses: google-github-actions/setup-gcloud@master to uses: 'google-github-actions/auth@v0' break firebase test lab
In my github action I have
- name: Authenticate to Google Cloud
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
- name: run firebase testlab
...I get
gcloud of ['gcloud', 'firebase', 'test', 'android', 'run', '--type=game-loop', ….] failed with stderr:ERROR: (gcloud.firebase.test.android.run) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
But old version works as expected
- name: Authenticate to Google Cloud
uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
- name: run firebase testlab
...Thanks
Document authenticating to GCR/GAR
@sethvargo we had a few issues about pushing to GAR/GCR (#104 (comment), #50 (comment)) should we have an example that showcases this?
Originally posted by @bharathkkb in #123 (comment)
Unable to authenticate using OIDC workload identity when adding attribute condition
TL;DR
Authentication is successfull when principleSet is set to: //iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/*
But fails when I limit it to a private repo under an org. //iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/<GITHUB_ORG>/*
Expected behavior
Authenticate with specific private repository.
Observed behavior
Error: Action failed with error: Error: failed to generate Google Cloud ID token for [email protected]: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Action YAML
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
token_format: id_token
workload_identity_provider: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
service_account: [email protected]
access_token_lifetime: '300s'Additional information
❯ gcloud iam service-accounts get-iam-policy "[email protected]"
bindings:
- members:
- principalSet://iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/<GITHUB_ORG>/*
role: roles/iam.workloadIdentityUser
etag: xxxxxx
version: 1
❯ gcloud iam workload-identity-pools providers describe rush3-provider --location global --workload-identity-pool rush3-pool
attributeMapping:
attribute.actor: assertion.actor
attribute.aud: assertion.aud
attribute.repository: assertion.repository_owner
google.subject: assertion.sub
displayName: Rush demo provider
name: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
I have also followed steps described here: #36
Keyless Authentication to support Application Default Login
TL;DR
Gcloud Application Default login only allowed with the user credentials or the application libraries (Google provided resource authentications in mvn/npm/graddle,etc.,) will authenticate with the ADC (either as defined for the run platform or from serviceAccount JSON key stored in the path as defined in the env GOOGLE_APPLICATION_CREDENTIALS).
For CI, The general practice (in git Actions) for a Java application build (for specific actions that demands access to GCP like JAR/package build and export, unit tests to start the application and utilize cloud resources, etc.,) is to have the Google ServiceAccount Key retrieved from a secured location (usually Git Secrets) and get it pushed to the build container in a path as specified in the env GOOGLE_APPLICATION_CREDENTIALS ( usually this auto done if used google-github-actions/setup-gcloud@master with the export_default_credentials set to true).
But after switching to the workload_identity_provider with google-github-actions/auth@v0, The CI actions for those Java build steps fails as the libraries(either mvn nor graddle nor npm, etc.,.) can't recognize the ADC and also with the new flow/setup only the credentials can be outputed in the .credentials_file_path, which the application libraries fails to identify.
Detailed design
The ask is to also allow the application login (Google application libraries from maven/graddle/npm) with the keyless authentication, and the same I hope can be achieved either via
1. Updating the Gcloud auth application-default login to allow and accept the credentials outputed from the google-github-actions/auth@v0
(or)
2. Create a shortlived(temporary) JSON Key for the ServiceAccount which is used to authorize for the token exchange and to keep it build container that can be recognized by ADC ( and to delete the ServiceAccount key on build termination)
(or)
3. Provide a mechanism to support application login in CI steps (for eg., the gcloud auth login is allowed with the credentials outputed from the auth step)Additional information
No response
Authenticating to docker using gcloud isn't working after this action
TL;DR
Authenticating to docker using gcloud isn't working, despite what looks like a successful login.
Expected behavior
Docker to be successfully authenticated.
Observed behavior
Docker authentication doesn't seem to be working in combination with this actions output?
Action YAML
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GOOGLE_CLOUD_TOKEN }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- name: Docker Login
run: "gcloud auth configure-docker --quiet us-central1-docker.pkg.dev"
- uses: actions/checkout@v2
- name: Build Docker Image
run: "docker build ."Log output
Getting:
ERROR: (gcloud.auth.docker-helper) Failed to load credential file: [/home/runner/work/api/api/39c413352e4b4825126e788d]. File /home/runner/work/api/api/39c413352e4b4825126e788d was not found.
Even though:
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/api/api/39c413352e4b4825126e788d
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/api/api/39c413352e4b4825126e788d
GOOGLE_GHA_CREDS_PATH: /home/runner/work/api/api/39c413352e4b4825126e788d
Failed to generate Google Cloud ID token for service_account
TL;DR
I am getting an auth bug when I try to generate an id_token using the github action.
Expected behavior
There should be no auth errors.
Observed behavior
I get a 403 error.
Run google-github-actions/auth@v0
with:
token_format: id_token
workload_identity_provider: projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider
service_account: abcd@***.iam.gserviceaccount.com
id_token_audience: projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider
create_credentials_file: true
cleanup_credentials: true
access_token_lifetime: 3600s
access_token_scopes: https://www.google***s.com/auth/cloud-platform
id_token_include_email: false
env:
WORKLOAD_IDENTITY_POOL_PROVIDER: projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider
SERVICE_ACCOUNT: abcd@***.iam.gserviceaccount.com
Created credentials file at "/home/runner/work/***/***/3eb53b95d764be1564f71360"
Error: google-github-actions/auth failed with: failed to generate Google Cloud ID token for abcd@***.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Action YAML
name: Deploy
on:
push:
branches:
- 'develop'
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
env:
WORKLOAD_IDENTITY_POOL_PROVIDER: 'projects/XXXX/locations/global/workloadIdentityPools/ABCD/providers/ABCD-provider'
SERVICE_ACCOUNT: '[email protected]'
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Build Docker image
run: |
docker build . --tag gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}-v${{ steps.package-version.outputs.current-version }}
# Configure Workload Identity Federation for Google Cloud
- id: auth
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'id_token'
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
service_account: ${{ env.SERVICE_ACCOUNT }}
id_token_audience: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
create_credentials_file: true
# Setup gcloud CLI
- name: Setup gcloud sdk
uses: google-github-actions/setup-gcloud@v0
# Configure docker to use the gcloud command-line tool as a credential helper
- name: 'Set up docker to authenticate via gcloud command-line tool'
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth configure-docker
- name: Push Docker image to Google Container registry
run: |
docker push gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}-v${{ steps.package-version.outputs.current-version }}Additional information
No response
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.