TL;DR
Hello,
I setup a Federated identity between my GCP and a GitHub workflow.
The workload identity is set properly. I've tested it by installing gcloud SDK and running gcloud auth list. The later command outputs the correct SA being impersonated.
Also the google-github-actions/auth@v0 without impersonalization, using token_format: 'access_token' passes correctly.
The impersonated SA has both Service Account Token Creator and Workload Identity User roles granted on the tools-iac-example GCP project.
Also, the SA has Domain Wide Delegation granted for all 4 specified scopes.
Am I missing something?
Thanks,
Damir Dezeljin
Expected behavior
The impersonation should work.
Observed behavior
The impersonalization fails with the following error:
##[debug]Evaluating condition for step: 'Authenticate to Google Cloud'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Authenticate to Google Cloud
##[debug]Register post job cleanup for action: google-github-actions/auth@v0
##[debug]Loading inputs
##[debug]Loading env
Run google-github-actions/auth@v0
##[debug]Using workload identity provider "projects/73[1](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:1)01467[2](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:2)9[3](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:3)/locations/global/workloadIdentityPools/iac-gh-idpool/providers/iac-gh-idpool-provider"
##[debug]ID token url is https://pipelines.actions.githubusercontent.com/RoKEYgiuTaqbqfrcBb7sGLAs9VLI3QvF5bqVk65EcSqciIZUoT/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/c22e10bb-b0d9-[4](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:4)918-9a71-014dd3[5](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:5)f8[6](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:6)01/jobs/5d0864fc-c269-5600-cd0[7](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:7)-7aaf32b0e293/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F23101461234%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fiac-gh-idpool%2Fproviders%2Fiac-gh-idpool-provider
::add-mask::***
##[debug]Creating credentials file
Created credentials file at "/home/runner/work/tf-mgmt/tf-mgmt/gha-creds-baf7b4b41cd[8](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:8)aa52.json"
##[debug]Creating access token
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to sign JWT using [email protected]: (403) {
"error": {
"code": [40](https://github.com/example-io/tf-mgmt/actions/runs/3285540817/jobs/5412743142#step:3:41)3,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
##[debug]Node Action run completed with exit code 1
Action YAML
steps:
- uses: actions/checkout@v3
- name: Authenticate to Google Cloud
id: "auth"
uses: google-github-actions/auth@v0
with:
workload_identity_provider: projects/23101461234/locations/global/workloadIdentityPools/iac-gh-idpool/providers/iac-gh-idpool-provider
service_account: [email protected]
token_format: 'access_token'
access_token_lifetime: 1800s
access_token_scopes: https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/apps.groups.settings
access_token_subject: [email protected]
project_id: tools-iac-exampleLog output
No response
Additional information
No response
TL;DR
Hello,
I setup a Federated identity between my GCP and a GitHub workflow.
The workload identity is set properly. I've tested it by installing gcloud SDK and running
gcloud auth list. The later command outputs the correct SA being impersonated.Also the
google-github-actions/auth@v0without impersonalization, usingtoken_format: 'access_token'passes correctly.The impersonated SA has both
Service Account Token CreatorandWorkload Identity Userroles granted on thetools-iac-exampleGCP project.Also, the SA has Domain Wide Delegation granted for all 4 specified scopes.
Am I missing something?
Thanks,
Damir Dezeljin
Expected behavior
The impersonation should work.
Observed behavior
The impersonalization fails with the following error:
Action YAML
Log output
No response
Additional information
No response