Unable to access GCP resources after successful Authentication through workload identity federation
Workload Identity Pool -
gcloud iam workload-identity-pools providers describe <my_provider> --location global --workload-identity-pool <my_pool_name>
attributeMapping:
attribute.actor: assertion.actor
attribute.repository: assertion.repository
google.subject: assertion.sub
displayName: <my_provider>
name: projects/<my_project_id_number>/locations/global/workloadIdentityPools/<my_pool_name>/providers/<my_provider>
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
gcloud iam service-accounts get-iam-policy <my_service_account_email>
bindings:
- members:
- serviceAccount:<my_service_account_email>
role: roles/editor
- members:
- principal://iam.googleapis.com/projects/<my_project_id_number>/locations/global/workloadIdentityPools/<my_pool_name>/subject/repo:github.<company>.net/<org>/<repo>
- principalSet://iam.googleapis.com/projects/<my_project_id_number>/locations/global/workloadIdentityPools/<my_pool_name>/*
- principalSet://iam.googleapis.com/projects/<my_project_id_number>/locations/global/workloadIdentityPools/<my_pool_name>/attribute.repository/github.<company>.net/<org>/<repo>
role: roles/iam.workloadIdentityUser
etag: <ABCDkjg=>
version: 1
Workflow
name: Resources clean up
on:
push:
env:
slack_url: ${{ secrets.wh }}
jobs:
Clean-Up:
permissions:
id-token: write
contents: read
runs-on: ubuntu-latest
steps:
- uses: 'actions/[email protected]'
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/[email protected]'
with:
create_credentials_file: 'true'
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/<my_pool>/providers/<my_provider>'
service_account: '[email protected]'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/[email protected]'
- name: 'gcloud'
run: |-
gcloud services listIssue/Error:
ERROR: (gcloud.services.list) There was a problem refreshing your current auth tokens: ('Error code invalid_grant: The issuer in ID Token https://github.<company>.net/_services/token does not match the expected ones: https://token.actions.githubusercontent.com./', '{"error":"invalid_grant","error_description":"The issuer in ID Token https://github.<company>.net/_services/token does not match the expected ones: https://token.actions.githubusercontent.com./"}')
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Error: Process completed with exit code 1.
Hi there @mselukar008
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @mselukar008
In that case, your oidc.issuerURI needs to match the OIDC endpoint of your GitHub installation:
oidc:
issuerUri: YOUR_ENDPOINThttps://token.actions.githubusercontent.com refers to the public github.com service. For GitHub Enterprise Server installations, the URL is set by your GitHub Server Administrator (docs). This is usually something like https://github.company.com/_services/token, but it can be customized. Furthermore, your GitHub Administrator may have disabled this feature entirely.
Please contact your IT department for further support.
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
YOU MAY BE INTERESTED
| Issue Title | Created Date | Updated Date |
|---|