This step
- name: 'Authenticate to Google Cloud'
id: auth
uses: 'google-github-actions/[email protected]'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/my-project-id/locations/global/workloadIdentityPools/my-pool/providers/gh-provider'
service_account: '[email protected]'Fails with this message:
Error: google-github-actions/auth failed with: retry function failed with 0 attempts: failed to generate Google Cloud federated token for projects/my-project-id/locations/global/workloadIdentityPools/my-pool/providers/gh-provider: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
When removing
with:
token_format: 'access_token'it succeeds.
If I am not mistaken there are no specific instructions about any extra actions needed to asκ for the specific token_format
No response
No response
name: Test workload identity federation
on:
push:
branches:
- some_test_branch
jobs:
test-authentication:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: checkout the project
uses: 'actions/[email protected]'
- name: 'Authenticate to Google Cloud'
id: auth
uses: 'google-github-actions/[email protected]'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/my-project-id/locations/global/workloadIdentityPools/my-pool/providers/gh-provider'
service_account: '[email protected]'
- name: use docker login action
uses: 'docker/[email protected]'
with:
registry: 'gcr.io'
username: 'oauth2accesstoken'
password: '${{ steps.auth.outputs.access_token }}'
- name: login directly via shell
run: |-
echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://gcr.ioError: google-github-actions/auth failed with: retry function failed with 0 attempts: failed to generate Google Cloud federated token for projects/my-project-id/locations/global/workloadIdentityPools/my-pool/providers/gh-provider: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
My workload identity pool provider in tf
resource "google_iam_workload_identity_pool_provider" "gh_provider" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
workload_identity_pool_provider_id = "gh-provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository+assertion.ref"
}
oidc {
allowed_audiences = ["https://github.com/MyOrg"]
issuer_uri = "https://token.actions.githubusercontent.com"
}
}Hi there @pantelis-karamolegkos
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
If you do not specify a token format, the action just creates the credential file. When a later step used the credential file, it would fail with the same error. The troubleshooting steps notes this.
If the error message includes "failed to generate Google Cloud federated token", it means admission into the Workload Identity Pool failed. Check your Attribute Conditions and allowed audiences. Also, make sure you're using the project number in the value for workload_identity_provider in the YAML, not the project id.
Thanks for your response.
So, if I get this,
If you do not specify a token format, the action just creates the credential file.
it will create it even if the admission failed? (and this is the reason the step succeeds when the token_format: 'access_token' input is missing? )
(yes I am using the project-number in the workload_identity_provider value, my obfuscation was misleading)
With the default parameters, the action doesn't communicate with GCP APIs at all. It just creates a credentials file which Application Default Credentials (ADC) use for future steps. If you request an access token or ID token, it then uses that ADC file to mint the credentials.
What is the output of:
gcloud iam workload-identity-pools providers describe gh-provider --location=global --workload-identity-pool=my-pool --project=<project_id>
▶ gcloud iam workload-identity-pools providers describe gh-provider --location=global --workload-identity-pool=my-pool --project=my-project-id
attributeMapping:
attribute.full: assertion.repository+assertion.ref
google.subject: assertion.sub
name: projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/gh-provider
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
What I see now is that I am getting
Error: google-github-actions/auth failed with: retry function failed with 0 attempts: failed to generate Google Cloud access token for [email protected]: {
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
but failing to understand why the permission is denied.
I am definitely running the worklfow from assertion.repository repo and assertion.ref branch
Per the troubleshooting guide, If the error message inclues "failed to generate Google Cloud access token", it means Service Account Impersonation failed. Check your Service Account Impersonation settings and ensure the principalSet is correct.
Turns out the problem was not in my Account Impersonation.
I wanted to restrict the permissions to a specific branch so my mapping was
resource "google_iam_workload_identity_pool_provider" "gh_provider" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.wkbl_sre_pool.workload_identity_pool_id
workload_identity_pool_provider_id = "gh-provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository+assertion.ref"
}
oidc {
issuer_uri = "https://token.actions.githubusercontent.com"
}
}and the corresponding principal
data "google_iam_policy" "impersonation_policy" {
binding {
role = "roles/iam.workloadIdentityUser"
members = [
"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${var.workload_identity_pool_id}/attribute.full/${var.gh_repo}${var.gh_branch}",
]
}
}for some reason this never worked, when running my workflow from the branch that the variable var.gh_repo was instantiated with...
removing anything related to branch, i.e. 👇🏻
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.full" = "assertion.repository"
}and
"principalSet://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${var.workload_identity_pool_id}/attribute.full/${var.gh_repo},did the trick.
I know I am pushing the boundaries of your kindness but any suggestion(s) about how to limit the auth from a specific branch would be highly appreciated.
@pantelis-karamolegkos what do you mean by "from a specific branch"? Is this the source branch or the destination branch? There are some examples in GitHub's OIDC documentation.
@pantelis-karamolegkos What was the solution?
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|