Auth fails with "retry function failed after 1 attempt: failed to generate Google Cloud access token"

This issue has been tracked since 2022-11-15.

TL;DR

I've tried various config, but I can't get past this error.

Expected behavior

Successful token creation

Observed behavior

I get the error: "retry function failed after 1 attempt: failed to generate Google Cloud access token"

Action YAML

name: Tests

on:
  push:
    branches-ignore:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: 'write'
      id-token: 'write'
    steps:
    - uses: actions/[email protected]
    - name: Set up Python
      uses: actions/[email protected]
      with:
        python-version: 3.10.2
    - name: Install poetry
      uses: abatilo/[email protected]
      with:
        poetry-version: 1.2.2

    - id: 'auth'
      uses: 'google-github-actions/[email protected]'
      with:
        token_format: 'access_token'
        workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
        service_account: '[email protected]'

    - name: install dependencies
      run: poetry install

    - name: Run tests
      run: poetry run pytest --mypy --cov-report=term --cov-report=xml:cov.xml --cov
      
    - name: Code Coverage Report
      uses: irongut/[email protected]
      with:
        filename: cov.xml

    - name: Pytest coverage comment
      id: coverageComment
      uses: MishaKav/[email protected]
      with:
        pytest-xml-coverage-path: cov.xml

    - name: Update Readme with Coverage Html
      run: |
        sed -i '/<!-- Pytest Coverage Comment:Begin -->/,/<!-- Pytest Coverage Comment:End -->/c\<!-- Pytest Coverage Comment:Begin -->\${{ steps.coverageComment.outputs.coverageHtml }}${{ steps.coverageComment.outputs.summaryReport }}<!-- Pytest Coverage Comment:End -->' ./README.md
    - name: Commit & Push changes to Readme
      uses: stefanzweifel/[email protected]
      with:
        file_pattern: README.md

Log output

Run google-github-actions/[email protected]
  with:
    token_format: access_token
    workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/github-pool/providers/github-provider
    service_account: [email protected]
    create_credentials_file: true
    export_environment_variables: true
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    retries: 0
    id_token_include_email: false
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.10.2/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.2/x64/lib
Created credentials file at "/home/runner/work/xxx/xxx/gha-creds-4f9276f1969ce354.json"
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to generate Google Cloud access token for [email protected]: (403) {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Additional information

I've used the gh-oidc terraform module to set things up; and that applies without errors, but presumably there's some misconfiguration somewhere - but I'm not sure what I should be looking for.

https://registry.terraform.io/modules/terraform-google-modules/github-actions-runners/google/latest/submodules/gh-oidc

github-actions[bot] wrote this answer on 2022-11-25
0

Hi there @PaulRudin 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo wrote this answer on 2022-11-25
0

Hi @PaulRudin - please review the troubleshooting steps. There are many common misconfigurations that cause that error.

PaulRudin wrote this answer on 2022-11-25
0

Yup, I read that. I guess the fact that there are many potential misconfigurations that makes it tricky to spot the problem.

sethvargo wrote this answer on 2022-11-25
0

Did you provide sa_mappings in that Terraform configuration?

PaulRudin wrote this answer on 2022-11-25
0

Yeah, that block is defined by:

    sa_mapping: {
	"github-fplscore-sa" : {
	  sa_name: "${google_service_account.github_fplscore_sa.name}",
	  attribute: "attribute.repository/PaulRudin/fplscore",
	},
	"github-fplserve-sa": {
	  sa_name: "${google_service_account.github_fplserve_sa.name}",
	  attribute: "attribute.repository/PaulRudin/fplserve",
	}
      }
PaulRudin wrote this answer on 2022-11-25
0

I tried enabling audit logging as suggested in the troubleshooting guide, but I couldn't see any log entries that seem relevant after rerunning the workflow. But I'm not sure what I should be looking for.

djfinnoy wrote this answer on 2022-11-25
0

I'm experiencing the same problem. Service account impersonation is not working, been trying for two days now.
I've tried all the steps in the troubleshooting docs, and in closed issues; I simply cannot limit a service account to any attributes, or even the subject field.
I'm able to get around this issue by using conditions on the provider; and allowing service accounts to access "all identities in the pool". This effectively limits me to one service account per provider, which I guess is fine for my use-case.

I'm pretty confident that something is wrong with service account impersonations. I can't find anything useful in the logs tho. To reproduce, try to limit a service account to repository_owner with the latest version of the auth workflow. I just set up the pool using my browser as a test; everything seems to be in order, and the principalSet IAM rules generated by console actions seem correct, but the action still fails with failed to generate Google Cloud access token.

PaulRudin wrote this answer on 2022-11-25
0

So, based on that I just used a single service account and used "*" as the attribute in the sa_mapping, and now the authentication seems to succeed.

sethvargo wrote this answer on 2022-11-25
0

Hi @PaulRudin @djfinnoy

Did you provide any attribute mappings in the configuration (Terraform)? See step 3 of the troubleshooting guide, but you must have an attribute mapping for any attribute conditions. You cannot create an attribute condition unless you map values from the incoming GitHub OIDC token. In that Terraform module, it would be something like:

module "gh_oidc" {
  source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
  # ...

  attribute_mapping = {
    "google.subject": "assertion.sub"
    "attribute.repository" : "assertion.repository"
  }

  sa_mapping = {
    "foo-service-account" = {
      sa_name   = "projects/my-project/serviceAccounts/[email protected]"
      attribute = "attribute.repository/user/repo"
    }
  }
}

Also double check capitalization on the repository owner and repository names.

lucasmellos wrote this answer on 2022-11-25
0

Facing the same error on my side. After upgrading to v1 it broke my pipeline.

sethvargo wrote this answer on 2022-11-25
0

Hi @lucasmellos - there were only documentation changes between v0 and v1, so I'm not sure how that would affect your pipeline.

djfinnoy wrote this answer on 2022-11-25
0

Yes, I did the attribute mapping bit. When you manage workload identity pools through the console in your browser, you won't even be able to configure impersonation filters without the attribute mappings.

Is it possible that something is broken on the GCP Workload Identity pool side of the equation?
I had some trouble with provider conditions; attribute.repository == "my-org/my-repo" didn't work, while assertion.repository == "my-org/my-repo" worked fine. Based on the docs, I was under the impression that one could use attribute.<x> for the provider conditions, so I'm wondering if maybe something is wrong with attribute mappings in GCP.

Edit:
It's also possible that I'm just doing the attribute mappings wrong when setting them up via the console. Will try it through Terraform and see if that yields different results.

lucasmellos wrote this answer on 2022-11-25
0

On my side, it was the lack of SA attachment. Notting related to this action.

sethvargo wrote this answer on 2022-11-25
0

Hi @djfinnoy - it's also possible that you're not waiting ~5min in between changes. WIF pools take a long time to provision and are eventually consistent, especially configuration changes. Attribute conditions should be attribute.something.

PaulRudin wrote this answer on 2022-11-25
0

Hi @PaulRudin @djfinnoy

Did you provide any attribute mappings in the configuration (Terraform)? See step 3 of the troubleshooting guide, but you must have an attribute mapping for any attribute conditions. You cannot create an attribute condition unless you map values from the incoming GitHub OIDC token. In that Terraform module, it would be something like:

module "gh_oidc" {
  source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
  # ...

  attribute_mapping = {
    "google.subject": "assertion.sub"
    "attribute.repository" : "assertion.repository"
  }

  sa_mapping = {
    "foo-service-account" = {
      sa_name   = "projects/my-project/serviceAccounts/[email protected]"
      attribute = "attribute.repository/user/repo"
    }
  }
}

Also double check capitalization on the repository owner and repository names.

I didn't specify the attribute mapping explicitly, but that terraform module has a default that includes the mapping you suggest: https://github.com/terraform-google-modules/terraform-google-github-actions-runners/blob/760e9710da0a2378d2acbb58fb4c06c007b4ec79/modules/gh-oidc/variables.tf#L68

sethvargo wrote this answer on 2022-11-25
0

@PaulRudin understood. Unfortunately without more information, it's difficult to debug this. Have you enabled the Security Token Service Activity logs for Admin, Data Read, and Data Write and looked at the logs?

djfinnoy wrote this answer on 2022-11-25
0

After creating a WI pool and provider with Terraform, I have realized that my issues were caused by misconfigured attribute mappings.

For some reason, when defining these mappings in the console, I deceived myself into thinking one should enquote CEL strings. This was a mistake, and lead to broken attribute mappings that cannot be utilized by neither the provider's attribute conditions, nor the service account impersonations.

To demonstrate my error, all attribute mappings except repository_owner are correct and working in the pic below:
image

Edit:
Some debug advice: If you can't get service account impersonations to work, try using the same attributes within the provider conditions. If this doesn't work, you are probably dealing with misconfigured attribute mappings.
I found the following action useful for debugging: https://github.com/github/actions-oidc-debugger

sethvargo wrote this answer on 2022-11-25
0

Hi @PaulRudin - can you share some screenshots of your Pool and Provider configuration please?

PaulRudin wrote this answer on 2022-11-25
0

As I mentioned I've now switch to a single service account and using '*' for the attribute and things work on that basis. I'll try to make a minimal reproducible example without messing with my existing setup.

sethvargo wrote this answer on 2022-12-10
0

Hey @PaulRudin - any luck on building a reproduction case?

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date

Popular Frameworks
Programming Languages

Copyright © Codesti | Contact