Doc missing something? about auth HOT 8 CLOSED

Hi there @olivers-xaxis 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

from auth.

Hi @olivers-xaxis - please provide the debug logs or error message(s) you're getting.

Step 6 of the WIF via Service Account in the readme shows github actions workflow yaml that only has the pool ID. I could not get that to work, I had to add the service account line using the service_account attribute. This should be added.

The code block is demonstrating where you set the workload_identity_provider value; it is not meant to be a copy-pasteable example, since there are many required and optional parameters which are documented above. However, I'll add service_account since it's required in this case. However, there are other fields like project_id which may be conditionally required, which is explained above.

Also, I could not get Direct WIF (preferred) to work.

Do you have more information? Debug logs? Error messages?

from auth.

Sure I should be able to do that Friday

from auth.

OK so I investigated the failure I was getting. When I did it again, knowing more now than I did then, your steps worked.

HOWEVER I think we can do better on the last step of the Direct method (normally I'd be happy to submit a PR but I'm still too new to GCP -- 95% of my cloud years are in AWS). OIDC should be made as easy to setup as possible, leading to a safer web. I have setup OIDC for github in AWS very easily in the past, but being new to GCP IAM I used the console. The latest version has a Grant Access on the Pool page where you can specify the repository to match, and the service account to assume when the repo matches. I think this corresponds to the last step, but the binding would be on the service account to the pool and assertion.repo. So something like showing

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_EMAIL \
  --project="${PROJECT_ID}" \
  --role roles/iam.workloadIdentityPoolUser \
  --member workload-identity-pool/POOL_NAME/LOCATION/POOL_ID/attribute.repository/ORG_NAME/REPO_NAME

AFAIK, if I'm setting up a brand new service account to be used with a brand new pool, I will absolutely need to do the above.

from auth.

Sorry, I'm not following. Do you have screenshots of what you're seeing on the console? Please note that this repo does not intend to be an authoritative source for Google Cloud documentation. We provide a few key user journeys. Advanced configuration options and general instructions for OIDC/WIF are at: https://cloud.google.com/iam/docs/workload-identity-federation

from auth.

How about I submit a PR, it will be easier for you to see what I mean. You can adjust further if I say anything wrong.

from auth.

Sure, sg.

from auth.

Hey @olivers-xaxis - did you have a chance to look into this yet?

from auth.