OAuth token is not created because audience is null. I think...
The OAuth token is created with the correct audience, short lived access tokens are created and authentication works as expected.
I get the error below in my action. This happens when I hard code the audience to the default URL, when I set it as a secret and when I use a custom value in the pool and the matching value.
google-github-actions/auth failed with: retry function failed with 0 attempts: failed to generate Google Cloud federated token for ${ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
I'm not sure if this is a bug or a configuration value. I've made sure the provider user the project number. The project id is correct and the service account is correct too.
Anyone have an idea what I'm doing wrong. I've also reset the provider attributes back to: google.subject=assertion.sub and the error doesn't change. Is it possible that I'm missing an attribute (I had attribute.aud=assertion.aud, repo owner, etc but I removed them for debugging)? Which attribute am I missing?
Thanks in advance :)
name: Deploy self-hosted actions runner
on:
push:
branches:
- main
jobs:
run:
name: 'Setup GCP and Deploy self-hosted actions runner'
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/[email protected]
- name: Authenticate to Google Cloud
id: auth-gcp
uses: google-github-actions/[email protected]
with:
workload_identity_provider: '${ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }'
service_account: '${ secrets.TERRAFORM_SERVICE_ACCOUNT_EMAIL }'
project_id: '${ secrets.GCP_PROJECT_ID }'
audience: '${ secrets.GCP_POOL_AUDIENCE }'
token_format: 'access_token'
access_token_lifetime: '1800' # 30 minutes
- name: Initialise Terraform
run: cd terraform && terraform init -reconfigure -backend-config="access_token="${{ steps.auth-gcp.outputs.access_token }}"" && cd ..
- name: Validate Terraform
run: cd terraform && terraform validate -backend-config="access_token="${{ steps.auth-gcp.outputs.access_token }}"" && cd ..
- name: Create infrastructure
run: cd terraform && terraform apply -backend-config="access_token="${{ steps.auth-gcp.outputs.access_token }}"" -target=module.self_hosted_ci_runners.google_compute_instance.runner -var 'github_access_token=${ secrets.PERSONAL_ACCESS_TOKEN }' && cd ..1s
Current runner version: '2.294.0'
Operating System
Virtual Environment
Virtual Environment Provisioner
GITHUB_TOKEN Permissions
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/[email protected]' (SHA:2541b1294d2704b0964813337f33b291d3f8596b)
Download action repository 'google-github-actions/[email protected]' (SHA:ceee102ec2387dd9e844e01b530ccd4ec87ce955)
4s
Run actions/[email protected]
Syncing repository: DerekCrosson/anya-final-project
Getting Git version info
Temporarily overriding HOME='/home/runner/work/_temp/61aa44c8-d64c-4df3-bbbb-f1886707f4fc' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /home/runner/work/anya-final-project/anya-final-project
Deleting the contents of '/home/runner/work/anya-final-project/anya-final-project'
Initializing the repository
Disabling automatic garbage collection
Setting up auth
Fetching the repository
Determining the checkout info
Checking out the ref
/usr/bin/git log -1 --format='%H'
'84a7dab0f8032052a9b01a7c1a9f8e315d68c382'
0s
Run google-github-actions/[email protected]
Created credentials file at "/home/runner/work/anya-final-project/anya-final-project/gha-creds-1508dc439b6f43dc.json"
Error: google-github-actions/auth failed with: retry function failed with 0 attempts: failed to generate Google Cloud federated token for ${ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
0s
0s
0s
0s
Post job cleanup.
Removed exported credentials at "/home/runner/work/anya-final-project/anya-final-project/gha-creds-1508dc439b6f43dc.json".
0s
Post job cleanup.
/usr/bin/git version
git version 2.37.1
Temporarily overriding HOME='/home/runner/work/_temp/a8f8cd35-0268-4b05-adb2-dce4b996fba0' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /home/runner/work/anya-final-project/anya-final-project
/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
http.https://github.com/.extraheader
/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
0s
Cleaning up orphan processes
Nothing I can think of right now, not sure if this is a bug
GitHub Actions expressions use the ${{ x }} syntax. Your example uses ${ x }: https://docs.github.com/en/actions/learn-github-actions/expressions#about-expressions
Please note, this is how GitHub Actions works, and is completely outside of our control.
Thanks, @sethvargo! I can't believe I missed that, really appreciate it :)
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|