Authenticating with workload identity does not fail when the SA does not exist

This issue has been tracked since 2022-04-28.

TL;DR

Authenticating with an unexisting service account does not cause the auth action to fail.

Expected behavior

The auth step fails

Observed behavior

The auth step succeeds

I can see that the auth fails in GCP because the metrics for this workload identity provider says: invalid_target. Here is the MQL query I used in the GCP metrics explorer:

fetch iam.googleapis.com/WorkloadIdentityPoolProvider
| metric 'iam.googleapis.com/workload_identity_federation/count'
| align rate(1m)
| every 1m
| group_by [metric.result], [value_count_aggregate: aggregate(value.count)]

Action YAML

name: Do stuff
on:
  [pull_request]

env:
  PROJECT_NUMBER: '123456789'
  PROJECT_ID: 'my-gcp-project'
  WORKLOAD_POOL: 'my-pool'
  WORKLOAD_POOL_PROVIDER: 'my-provider'

permissions:
  contents: 'read'
  id-token: 'write'

jobs:
  something:
    name: Do something
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/[email protected]

      - name: Auth
        uses: google-github-actions/[email protected]
        with:
          workload_identity_provider: 'projects/${{ env.PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.WORKLOAD_POOL }}/providers/${{ env.WORKLOAD_POOL_PROVIDER }}'
          service_account: '[email protected]${{ env.PROJECT_ID }}.iam.gserviceaccount.com'

      - name: Deploy
        uses: google-github-actions/[email protected]
        with:
          name: my-function
          entry_point: entrypoint
          service_account_email: [email protected]${{ env.PROJECT_ID }}.iam.gserviceaccount.com
          region: europe-west3
          runtime: go116
          event_trigger_type: google.storage.object.finalize
          event_trigger_resource: my-bucket

Log output

Run google-github-actions/[email protected]
  with:
    workload_identity_provider: projects/my-gcp-project/locations/global/workloadIdentityPools/my-pool/providers/my-provider
    service_account: [email protected]
    create_credentials_file: true
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    id_token_include_email: false
  env:
    PROJECT_NUMBER: '123456789'
    PROJECT_ID: 'my-gcp-project'
    WORKLOAD_POOL: 'my-pool'
    WORKLOAD_POOL_PROVIDER: 'my-provider'
Created credentials file at "/home/runner/work/zoba-parser/zoba-parser/gha-creds-115390a493bedc1b.json"


0s
Run google-github-actions/[email protected]
Extracted project ID 'my-gcp-project' from $GCLOUD_PROJECT
Created zip file from './' at '/tmp/cfsrc-6ea1c68af626809644e5b702.zip'
Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: Error code invalid_target: The target service indicated by the "audience" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist.

Additional information

No response

sethvargo wrote this answer on 2022-04-28

Hi @IuryAlves

The authentication succeeds, but then the authorization fails, because no such service account exists. Per the troubleshooting steps, you can ask the auth action to mint an access token to verify the authentication is configured correctly.

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date