i want to authenticate with workload identity and create an oauth token to be used by other steps. currently, the credentials file created when using workload identity is created with the 'external_account' type.
setting token_format: "access_token" will produce a credentials file of type: 'authorized_user'.
the credentials files is created with type: external_account
name: build
on:
push:
pull_request:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: checkout
id: checkout
uses: actions/[email protected]
- name: Set up JDK 11
uses: actions/[email protected]
with:
java-version: "11"
distribution: "adopt"
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/[email protected]"
with:
workload_identity_provider: "${{ secrets['WI_PROVIDER'] }}"
service_account: "${{ secrets['WI_SA'] }}"
token_format: "access_token" # we want an oauth token
- name: Maven Build and Deploy
run: mvn install # needs access to cloud sql, etc... using application default credentials, but doesn't know about workload identityspring.cloud.gcp.pubsub.credentials.*) should be used if your app uses services that require credentials. trace_id= span_id= trace_flags=
2023-01-11T21:58:03.7590302Z java.io.IOException: Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/foo/bar/gha-creds-b41be974044447ad.json': Error reading credentials from stream, 'type' value 'external_account' not recognized. Expecting 'authorized_user' or 'service_account'.
using spring boot, needs access to cloud mysql, pubsub, datastore
Hi there @so-jelly
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @so-jelly
Sorry, I'm not sure I understand your question. The JSON file created for Workload Identity Federation will always be "external account" - that's the definition of Workload Identity Federation. The token parameter controls whether an oauth access token or an id token is minted in addition to the authentication. If you specify a value for token, then you can retrieve the token in subsequent steps via an output.
In this case, you will need to work with the authors of the dependency which is throwing that error to add support for Workload Identity Federation.
| Owner Name | google-github-actions |
| Repo Name | auth |
| Full Name | google-github-actions/auth |
| Language | TypeScript |
| Created Date | 2021-09-16 |
| Updated Date | 2023-03-24 |
| Star Count | 573 |
| Watcher Count | 16 |
| Fork Count | 116 |
| Issue Count | 3 |
| Issue Title | Created Date | Updated Date |
|---|