workload identity + token_format

This issue has been tracked since 2023-01-12.


i want to authenticate with workload identity and create an oauth token to be used by other steps. currently, the credentials file created when using workload identity is created with the 'external_account' type.

Expected behavior

setting token_format: "access_token" will produce a credentials file of type: 'authorized_user'.

Observed behavior

the credentials files is created with type: external_account

Action YAML

name: build


    runs-on: ubuntu-latest
      - name: checkout
        id: checkout
        uses: actions/[email protected]

      - name: Set up JDK 11
        uses: actions/[email protected]
          java-version: "11"
          distribution: "adopt"

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/[email protected]"
          workload_identity_provider: "${{ secrets['WI_PROVIDER'] }}"
          service_account: "${{ secrets['WI_SA'] }}"
          token_format: "access_token" # we want an oauth token

      - name: Maven Build and Deploy
        run: mvn install # needs access to cloud sql, etc... using application default credentials, but doesn't know about workload identity

Log output*) should be used if your app uses services that require credentials. trace_id= span_id= trace_flags= 
2023-01-11T21:58:03.7590302Z Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/foo/bar/gha-creds-b41be974044447ad.json': Error reading credentials from stream, 'type' value 'external_account' not recognized. Expecting 'authorized_user' or 'service_account'.

Additional information

using spring boot, needs access to cloud mysql, pubsub, datastore

github-actions[bot] wrote this answer on 2023-01-14

Hi there @so-jelly 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo wrote this answer on 2023-01-14

Hi @so-jelly

Sorry, I'm not sure I understand your question. The JSON file created for Workload Identity Federation will always be "external account" - that's the definition of Workload Identity Federation. The token parameter controls whether an oauth access token or an id token is minted in addition to the authentication. If you specify a value for token, then you can retrieve the token in subsequent steps via an output.

In this case, you will need to work with the authors of the dependency which is throwing that error to add support for Workload Identity Federation.

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3


Issue Title Created Date Updated Date