Unable to setup OIDC Workload Identity Provider for Workload Pool

This issue has been tracked since 2022-06-25.

TL;DR

As per the step 7 in README, a Workload Identity Provider isn't getting created, both from gcloud CLI as well as Pantheon UI.
In fact, the issuer-uri violates the organization policy, and thereby Precondition fails.

Expected behavior

Successful creation of Workload Identity Provider

Observed behavior

ERROR: (gcloud.iam.workload-identity-pools.providers.create-oidc) FAILED_PRECONDITION: Precondition check failed.

  • '@type': type.googleapis.com/google.rpc.PreconditionFailure
    violations:
    • description: "Org Policy violated for value: 'https://token.actions.githubusercontent.com'."
      subject: orgpolicy:projects/project-step-pranav/locations/global/workloadIdentityPools/github-runner
      type: constraints/iam.workloadIdentityPoolProviders
  • '@type': type.googleapis.com/google.rpc.DebugInfo
    detail: |-
    [ORIGINAL ERROR] generic::failed_precondition: The request has violated one or more Org Policies. Please refer to the respective violations for more information.
    com.google.apps.framework.request.StatusException: generic::FAILED_PRECONDITION: The request has violated one or more Org Policies. Please refer to the respective violations for more information. [google.rpc.error_details_ext] { details { [type.googleapis.com/google.rpc.PreconditionFailure] { violations { type: "constraints/iam.workloadIdentityPoolProviders" subject: "orgpolicy:projects/project-step-pranav/locations/global/workloadIdentityPools/github-runner" description: "Org Policy violated for value: 'https://token.actions.githubusercontent.com\'." } } } }

Action YAML

Irrelevant.

Command issued: 

$ gcloud iam workload-identity-pools providers create-oidc "github-runner-workload-provider" --project=project-step-pranav --location="global" --workload-identity-pool="github-runner" --display-name="GitHub Runner Pool Provider" --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" --issuer-uri="https://token.actions.githubusercontent.com"


### Log output

_No response_

### Additional information

A similar error was faced when trying to create from Pantheon UI as well.
Further, tried the command from the following Google Cloud blog too: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
Didn't work.
github-actions[bot] wrote this answer on 2022-07-22
0

Hi there @PranavNair0001 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

PranavNair0001 wrote this answer on 2022-07-22
0

Resolved

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date

Popular Frameworks
Programming Languages

Copyright © Codesti | Contact