Error with self-hosted runner and auth

This issue has been tracked since 2022-03-29.

TL;DR

Hello,

I am currently testing Workload Identity Feature with GitHub Actions.
By launching the following workflow in a runner hosted by GitHub, everything is fine:

name: workflow_list_vm
on: [workflow_dispatch]
jobs:
  auth:
    runs-on: 'ubuntu-latest'
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
    - uses: 'actions/[email protected]'
    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/[email protected]'
      with:
        workload_identity_provider: 'projects/projectX/locations/global/workloadIdentityPools/poolX/providers/providerX'
        service_account: '[email protected]'
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/[email protected]'
    - id: 'gcloud'
      name: 'gcloud'
      run: |-
        gcloud compute instances list

However, as soon as I run the same pipeline on a self-hosted runner, it fails. I get the following error message:

Run google-github-actions/[email protected]
Error: google-github-actions/auth failed with: error message: Cannot read properties of undefined (reading 'message')

Could you help me to understand better the origin of the problem?

Thank you in advance for your help,
Sincerely,

Expected behavior

No response

Observed behavior

No response

Action YAML

name: workflow_list_vm
on: [workflow_dispatch]
jobs:
  auth:
    runs-on: 'self-hosted'
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
    - uses: 'actions/[email protected]'
    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/[email protected]'
      with:
        workload_identity_provider: 'projects/projectX/locations/global/workloadIdentityPools/poolX/providers/providerX'
        service_account: '[email protected]'
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/[email protected]'
    - id: 'gcloud'
      name: 'gcloud'
      run: |-
        gcloud compute instances list

Log output

No response

Additional information

Our self-hosted runner is hosted in a GCP Compute Engine instance, behind a HTTP/HTTPS proxy without Cloud NAT, but with Private Access enabled to access Google APIs privately.

sethvargo wrote this answer on 2022-03-29
0

Hi @alexandre-rassinoux

Thank you for opening an issue. In general, it's very difficult to diagnose issues with self-hosted runners because we do not have access to the environment.

  • What is the base operating system?
  • What is the version of the GitHub Actions runner?
  • Can you enable debug logging and see if that produces any additional output?
alexandre-rassinoux wrote this answer on 2022-03-29
0

Hello sethvargo

Thank you for your help. You can find below the answers:

  • What is the base operating system? Debian GNU/Linux 10 (buster)

  • What is the version of the GitHub Actions runner? 2.289.1

  • Can you enable debug logging and see if that produces any additional output?

2022-03-29T14:22:05.4306886Z ##[group]Run google-github-actions/[email protected]
2022-03-29T14:22:05.4307199Z with:
2022-03-29T14:22:05.4307639Z   workload_identity_provider: projects/projectX/locations/global/workloadIdentityPools/poolX/providers/providerX
2022-03-29T14:22:05.4308280Z   service_account: [email protected]
2022-03-29T14:22:05.4308896Z   create_credentials_file: true
2022-03-29T14:22:05.4309182Z   cleanup_credentials: true
2022-03-29T14:22:05.4309467Z   access_token_lifetime: 3600s
2022-03-29T14:22:05.4309850Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-03-29T14:22:05.4311004Z   id_token_include_email: false
2022-03-29T14:22:05.4311363Z ##[endgroup]
2022-03-29T14:22:05.5139870Z ##[debug]Using workload identity provider "projects/projectX/locations/global/workloadIdentityPools/poolX/providers/providerX"
2022-03-29T14:22:05.5152603Z ##[debug]ID token url is https://pipelines.actions.githubusercontent.com/XXXXXXXfEULGqOqeWfOHLJmMe4kcBjdJiyNmI6cZITpcl/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/b9XXXXXXX-96ac-484f-88d7-cd10XXXXXXX/jobs/XXXXXXX-12b9-52e4-499f-13f4a944bdac/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2FprojectX%2Flocations%2Fglobal%2FworkloadIdentityPools%2FpoolX%2Fproviders%2FproviderX
2022-03-29T14:22:05.5733517Z ##[error]google-github-actions/auth failed with: error message: Cannot read properties of undefined (reading 'message')
2022-03-29T14:22:05.5770189Z ##[debug]Node Action run completed with exit code 1
2022-03-29T14:22:05.5779724Z ##[debug]Finishing: Authenticate to Google Cloud

I remain available if needed,
Regards,

sethvargo wrote this answer on 2022-03-29
0

Hi @alexandre-rassinoux thank you for that. Is that log output with both ACTIONS_RUNNER_DEBUG and ACTIONS_RUNNER_DEBUG set to true?

It looks like you're using the latest runner version, so that's good.

Our code only calls .message in one place, and it's guarded by a check, so I'm unclear where/how this is happening.

alexandre-rassinoux wrote this answer on 2022-04-12
0

Hello @sethvargo,

I did a full reinstall of a new GitHub runner and the error disappeared.
We can then consider the issue as closed.

Thank you for your help!

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date

Popular Frameworks
Programming Languages

Copyright © Codesti | Contact