Impersonation issues for Google Workspace #387
Description
TL;DR
When trying to add access_token_subject I receive a 401 response for the auth action
google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using [email protected]:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"service": "iamcredentials.googleapis.com",
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
}
}
]
}
}If I run this without subject like
- name: Get Google access token
uses: 'google-github-actions/[email protected]'
id: google_access_token
with:
project_id: my-project
workload_identity_provider: workload_idp_string
service_account: my-service-account@my_project.iam.gserviceaccount.com
export_environment_variables: true
token_format: "access_token"
access_token_lifetime: 1800s
access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonlyThe flow passes normally. However since I need to do impersonation I would need to add
access_token_subject: [email protected]
Which is when the error happens.
I tried to look into previous impersonation issues like
But regardless I can't quite get it to work
I have set up the domain wide permissions inside of google workspace for the service account appid
I am not to used to GCP so it could be something obvious I am missing here. I am thankful for any suggestions!
Regards,
Thomas
Expected behavior
I am expecting impersonation to work so we can use this to access Google workspaces in our actions
Observed behavior
Call fails with
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"service": "iamcredentials.googleapis.com",
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
}
}
]
}
}Action YAML
name: Test Google impersonation in seperate flow
run-name: "Access google from ${{ github.repository }}"
on:
pull_request:
branches:
- master
- main
types:
- opened
- edited
- synchronize
- reopened
workflow_dispatch:
jobs:
google_workspace_test:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: read
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Get Google access token
uses: 'google-github-actions/[email protected]'
id: google_access_token
with:
project_id: my-project
workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-poolname/providers/my-provider
service_account: [email protected]
export_environment_variables: true
token_format: "access_token"
access_token_lifetime: 1800s
access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
access_token_subject: [email protected]Log output
2024-01-31T13:26:51.8162091Z Requested labels: ubuntu-latest
2024-01-31T13:26:51.8162363Z Job defined at: org/repo/.github/workflows/test-access.yml@refs/pull/68/merge
2024-01-31T13:26:51.8162443Z Waiting for a runner to pick up this job...
2024-01-31T13:26:53.5052740Z Job is waiting for a hosted runner to come online.
2024-01-31T13:26:55.1607573Z Job is about to start running on the hosted runner: GitHub Actions 39 (hosted)
2024-01-31T13:26:58.0328507Z Current runner version: '2.312.0'
2024-01-31T13:26:58.0360073Z ##[group]Operating System
2024-01-31T13:26:58.0360862Z Ubuntu
2024-01-31T13:26:58.0361313Z 22.04.3
2024-01-31T13:26:58.0361909Z LTS
2024-01-31T13:26:58.0362309Z ##[endgroup]
2024-01-31T13:26:58.0362812Z ##[group]Runner Image
2024-01-31T13:26:58.0363503Z Image: ubuntu-22.04
2024-01-31T13:26:58.0363998Z Version: 20240126.1.0
2024-01-31T13:26:58.0365307Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240126.1/images/ubuntu/Ubuntu2204-Readme.md
2024-01-31T13:26:58.0367277Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240126.1
2024-01-31T13:26:58.0368368Z ##[endgroup]
2024-01-31T13:26:58.0368919Z ##[group]Runner Image Provisioner
2024-01-31T13:26:58.0369619Z 2.0.341.1
2024-01-31T13:26:58.0370031Z ##[endgroup]
2024-01-31T13:26:58.0371423Z ##[group]GITHUB_TOKEN Permissions
2024-01-31T13:26:58.0373597Z Contents: read
2024-01-31T13:26:58.0374160Z Metadata: read
2024-01-31T13:26:58.0375062Z PullRequests: read
2024-01-31T13:26:58.0375703Z ##[endgroup]
2024-01-31T13:26:58.0378460Z Secret source: Actions
2024-01-31T13:26:58.0379202Z Prepare workflow directory
2024-01-31T13:26:58.1147132Z Prepare all required actions
2024-01-31T13:26:58.1343158Z Getting action download info
2024-01-31T13:26:58.4649985Z Download action repository 'actions/checkout@v4' (SHA:b4ffde65f46336ab88eb53be808477a3936bae11)
2024-01-31T13:26:58.6146039Z Download action repository 'google-github-actions/[email protected]' (SHA:5a50e581162a13f4baa8916d01180d2acbc04363)
2024-01-31T13:26:58.9851765Z Complete job name: google_workspace_test
2024-01-31T13:26:59.0877631Z ##[group]Run actions/checkout@v4
2024-01-31T13:26:59.0878253Z with:
2024-01-31T13:26:59.0878683Z repository: org/repo
2024-01-31T13:26:59.0879590Z token: ***
2024-01-31T13:26:59.0879994Z ssh-strict: true
2024-01-31T13:26:59.0880429Z persist-credentials: true
2024-01-31T13:26:59.0880930Z clean: true
2024-01-31T13:26:59.0881367Z sparse-checkout-cone-mode: true
2024-01-31T13:26:59.0881940Z fetch-depth: 1
2024-01-31T13:26:59.0882344Z fetch-tags: false
2024-01-31T13:26:59.0882785Z show-progress: true
2024-01-31T13:26:59.0883203Z lfs: false
2024-01-31T13:26:59.0883579Z submodules: false
2024-01-31T13:26:59.0884024Z set-safe-directory: true
2024-01-31T13:26:59.0884490Z ##[endgroup]
2024-01-31T13:26:59.3696847Z Syncing repository: org/repo
2024-01-31T13:26:59.3699252Z ##[group]Getting Git version info
2024-01-31T13:26:59.3700431Z Working directory is '/home/runner/work/repo/repo'
2024-01-31T13:26:59.3701937Z [command]/usr/bin/git version
2024-01-31T13:26:59.3844068Z git version 2.43.0
2024-01-31T13:26:59.3879355Z ##[endgroup]
2024-01-31T13:26:59.3916030Z Temporarily overriding HOME='/home/runner/work/_temp/8382423c-b1ac-434a-b4e5-9c4a9d9d0864' before making global git config changes
2024-01-31T13:26:59.3917954Z Adding repository directory to the temporary git global config as a safe directory
2024-01-31T13:26:59.3919832Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/repo/repo
2024-01-31T13:26:59.3960242Z Deleting the contents of '/home/runner/work/repo/repo'
2024-01-31T13:26:59.3983942Z ##[group]Initializing the repository
2024-01-31T13:26:59.3985319Z [command]/usr/bin/git init /home/runner/work/repo/repo
2024-01-31T13:26:59.4067177Z hint: Using 'master' as the name for the initial branch. This default branch name
2024-01-31T13:26:59.4072040Z hint: is subject to change. To configure the initial branch name to use in all
2024-01-31T13:26:59.4076086Z hint: of your new repositories, which will suppress this warning, call:
2024-01-31T13:26:59.4079279Z hint:
2024-01-31T13:26:59.4082148Z hint: git config --global init.defaultBranch <name>
2024-01-31T13:26:59.4084945Z hint:
2024-01-31T13:26:59.4087731Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2024-01-31T13:26:59.4091168Z hint: 'development'. The just-created branch can be renamed via this command:
2024-01-31T13:26:59.4095395Z hint:
2024-01-31T13:26:59.4098113Z hint: git branch -m <name>
2024-01-31T13:26:59.4116963Z Initialized empty Git repository in /home/runner/work/repo/repo/.git/
2024-01-31T13:26:59.4135902Z [command]/usr/bin/git remote add origin https://github.com/org/repo
2024-01-31T13:26:59.4170797Z ##[endgroup]
2024-01-31T13:26:59.4172027Z ##[group]Disabling automatic garbage collection
2024-01-31T13:26:59.4178676Z [command]/usr/bin/git config --local gc.auto 0
2024-01-31T13:26:59.4213997Z ##[endgroup]
2024-01-31T13:26:59.4216207Z ##[group]Setting up auth
2024-01-31T13:26:59.4226372Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-01-31T13:26:59.4265889Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-01-31T13:26:59.4655060Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-01-31T13:26:59.4687634Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-01-31T13:26:59.4948980Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2024-01-31T13:26:59.5004069Z ##[endgroup]
2024-01-31T13:26:59.5006717Z ##[group]Fetching the repository
2024-01-31T13:26:59.5021393Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +e6e10b73c499ed8fa08b476e855a2a265fd80227:refs/remotes/pull/68/merge
2024-01-31T13:26:59.8307456Z From https://github.com/org/repo
2024-01-31T13:26:59.8313545Z * [new ref] e6e10b73c499ed8fa08b476e855a2a265fd80227 -> pull/68/merge
2024-01-31T13:26:59.8339535Z ##[endgroup]
2024-01-31T13:26:59.8340537Z ##[group]Determining the checkout info
2024-01-31T13:26:59.8341846Z ##[endgroup]
2024-01-31T13:26:59.8342719Z ##[group]Checking out the ref
2024-01-31T13:26:59.8345425Z [command]/usr/bin/git checkout --progress --force refs/remotes/pull/68/merge
2024-01-31T13:26:59.8453712Z Note: switching to 'refs/remotes/pull/68/merge'.
2024-01-31T13:26:59.8455100Z
2024-01-31T13:26:59.8455778Z You are in 'detached HEAD' state. You can look around, make experimental
2024-01-31T13:26:59.8457656Z changes and commit them, and you can discard any commits you make in this
2024-01-31T13:26:59.8458918Z state without impacting any branches by switching back to a branch.
2024-01-31T13:26:59.8459672Z
2024-01-31T13:26:59.8460238Z If you want to create a new branch to retain commits you create, you may
2024-01-31T13:26:59.8461479Z do so (now or later) by using -c with the switch command. Example:
2024-01-31T13:26:59.8462208Z
2024-01-31T13:26:59.8462549Z git switch -c <new-branch-name>
2024-01-31T13:26:59.8462961Z
2024-01-31T13:26:59.8463260Z Or undo this operation with:
2024-01-31T13:26:59.8463690Z
2024-01-31T13:26:59.8463959Z git switch -
2024-01-31T13:26:59.8464190Z
2024-01-31T13:26:59.8464788Z Turn off this advice by setting config variable advice.detachedHead to false
2024-01-31T13:26:59.8465630Z
2024-01-31T13:26:59.8466629Z HEAD is now at e6e10b7 Merge aa7295f57fb0e819e8495e3b4cd86f79330add48 into 0154afaed0d9ba9573bc5a6f92d651b80c4086b5
2024-01-31T13:26:59.8479640Z ##[endgroup]
2024-01-31T13:26:59.8513518Z [command]/usr/bin/git log -1 --format='%H'
2024-01-31T13:26:59.8540702Z 'e6e10b73c499ed8fa08b476e855a2a265fd80227'
2024-01-31T13:26:59.9085486Z ##[group]Run google-github-actions/[email protected]
2024-01-31T13:26:59.9086279Z with:
2024-01-31T13:26:59.9086849Z project_id: my-project
2024-01-31T13:26:59.9088421Z workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-poolname/providers/my-provider
2024-01-31T13:26:59.9090475Z service_account: [email protected]
2024-01-31T13:26:59.9091782Z export_environment_variables: true
2024-01-31T13:26:59.9092495Z token_format: access_token
2024-01-31T13:26:59.9093104Z access_token_lifetime: 1800s
2024-01-31T13:26:59.9094180Z access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
2024-01-31T13:26:59.9095333Z access_token_subject: [email protected]
2024-01-31T13:26:59.9096124Z create_credentials_file: true
2024-01-31T13:26:59.9096820Z universe: googleapis.com
2024-01-31T13:26:59.9097382Z cleanup_credentials: true
2024-01-31T13:26:59.9098096Z retries: 3
2024-01-31T13:26:59.9098647Z backoff: 250
2024-01-31T13:26:59.9099103Z id_token_include_email: false
2024-01-31T13:26:59.9099706Z ##[endgroup]
2024-01-31T13:27:00.1728663Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-fa93714574e118a9.json"
2024-01-31T13:27:00.5957873Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-b12f97ebaaf28536.json"
2024-01-31T13:27:00.9863978Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-d1f1d356de50805e.json"
2024-01-31T13:27:01.6186372Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-a40fad1e66bc7e28.json"
2024-01-31T13:27:01.7222266Z ##[error]google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using [email protected]: {
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"service": "iamcredentials.googleapis.com",
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
}
}
]
}
}
2024-01-31T13:27:01.7641210Z Post job cleanup.
2024-01-31T13:27:01.8675924Z Removed exported credentials at "/home/runner/work/repo/repo/gha-creds-a40fad1e66bc7e28.json".
2024-01-31T13:27:01.8859889Z Post job cleanup.
2024-01-31T13:27:01.9808231Z [command]/usr/bin/git version
2024-01-31T13:27:01.9911155Z git version 2.43.0
2024-01-31T13:27:02.0078883Z Temporarily overriding HOME='/home/runner/work/_temp/5a64591e-cac1-4cdf-b9e1-fc3fb44e4ac9' before making global git config changes
2024-01-31T13:27:02.0080665Z Adding repository directory to the temporary git global config as a safe directory
2024-01-31T13:27:02.0084921Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/repo/repo
2024-01-31T13:27:02.0192546Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-01-31T13:27:02.0228504Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-01-31T13:27:02.0507626Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-01-31T13:27:02.0537815Z http.https://github.com/.extraheader
2024-01-31T13:27:02.0551444Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2024-01-31T13:27:02.0587561Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-01-31T13:27:02.1232796Z Cleaning up orphan processes
Additional information
No response