Comments (8)
Hi there @olivers-xaxis ๐!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
from auth.
Hi @olivers-xaxis - please provide the debug logs or error message(s) you're getting.
Step 6 of the WIF via Service Account in the readme shows github actions workflow yaml that only has the pool ID. I could not get that to work, I had to add the service account line using the service_account attribute. This should be added.
The code block is demonstrating where you set the workload_identity_provider
value; it is not meant to be a copy-pasteable example, since there are many required and optional parameters which are documented above. However, I'll add service_account
since it's required in this case. However, there are other fields like project_id
which may be conditionally required, which is explained above.
Also, I could not get Direct WIF (preferred) to work.
Do you have more information? Debug logs? Error messages?
from auth.
Sure I should be able to do that Friday
from auth.
OK so I investigated the failure I was getting. When I did it again, knowing more now than I did then, your steps worked.
HOWEVER I think we can do better on the last step of the Direct method (normally I'd be happy to submit a PR but I'm still too new to GCP -- 95% of my cloud years are in AWS). OIDC should be made as easy to setup as possible, leading to a safer web. I have setup OIDC for github in AWS very easily in the past, but being new to GCP IAM I used the console. The latest version has a Grant Access on the Pool page where you can specify the repository to match, and the service account to assume when the repo matches. I think this corresponds to the last step, but the binding would be on the service account to the pool and assertion.repo. So something like showing
gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_EMAIL \
--project="${PROJECT_ID}" \
--role roles/iam.workloadIdentityPoolUser \
--member workload-identity-pool/POOL_NAME/LOCATION/POOL_ID/attribute.repository/ORG_NAME/REPO_NAME
AFAIK, if I'm setting up a brand new service account to be used with a brand new pool, I will absolutely need to do the above.
from auth.
Sorry, I'm not following. Do you have screenshots of what you're seeing on the console? Please note that this repo does not intend to be an authoritative source for Google Cloud documentation. We provide a few key user journeys. Advanced configuration options and general instructions for OIDC/WIF are at: https://cloud.google.com/iam/docs/workload-identity-federation
from auth.
How about I submit a PR, it will be easier for you to see what I mean. You can adjust further if I say anything wrong.
from auth.
Sure, sg.
from auth.
Hey @olivers-xaxis - did you have a chance to look into this yet?
from auth.
Related Issues (20)
- A request regarding inter-project authentication HOT 2
- google-github-actions/auth@v1 works but v2 doesn't HOT 6
- Disable warning ยจDid you forget to use "actions/checkout" before this step?ยจ HOT 7
- Google Cloud Service Account Key JSON not working HOT 2
- The mapped attribute 'google.subject' must be of type STRING. HOT 2
- WorkloadIDentityPoolProvider ID error message on create-oidc is dubious at best. HOT 2
- Save application default credentials (ADC) HOT 4
- Circular dependency when loading GitHub app private keys from Google Secret Manager HOT 4
- Impersonation issues for Google Workspace HOT 20
- Retry options seem to be deprecated, but not according to the docs HOT 1
- "create_credentials_file" option HOT 3
- Java cannot find certification path HOT 5
- Local testing HOT 3
- GKE WLI to authenticate as another service account HOT 12
- gsutil isn't authenticated HOT 16
- cant use credentials_json after an hour and half HOT 3
- Typo in Readme HOT 1
- Post Clean Up Issue HOT 10
- Add support to include a `request_reason` with the `X-Goog-Request-Reason` system parameter header HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth.