How can I use the generated credentials file after the Actions workflows is finished?

This issue has been tracked since 2023-02-18.

TL;DR

Hello.

I'm able to login with the generated credentials file outside of the GitHub Actions workflows during the build.
gcloud auth login --cred-file=THE-COPIED-CREDENTIALS-JSON-FILE

But I cannot use this anymore after the workflows is finished even if I set longer access_token_lifetime.
"Can\'t issue ID_TOKEN for job in \'Completed\' state."

Is it possible to use the generated credentials regardless of the GitHub Actions workflows status?

Expected behavior

No response

Observed behavior

No response

Action YAML

- id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/[email protected]'
        with:
          token_format: "access_token"
          create_credentials_file: true
          access_token_lifetime: '1800s'
          workload_identity_provider: "${{ secrets.GCPWorkloadIdentityProvider }}"
          service_account: "${{ secrets.GCPServiceAccount }}"
          id_token_audience: "${{ secrets.GCPAudience }}"

      - name: Save the credentials file for other system
        run: cp ${{ steps.auth.outputs.credentials_file_path }} /my/local/path/ # This will be used after the workflows finished!

Log output

ERROR: (gcloud.projects.list) There was a problem refreshing your current auth tokens: ('Unable to retrieve Identity Pool subject token', '{"$id":"1","innerException":null,"message":"Can\'t issue ID_TOKEN for job in \'Completed\' state.","typeName":"GitHub.Actions.Runtime.WebApi.CannotGenerateIdTokenException, GitHub.Actions.Runtime.WebApi, Version=14.0.0.0, Culture=neutral, PublicKeyToken=null","typeKey":"CannotGenerateIdTokenException","errorCode":0,"eventId":3000}')

Additional information

No response

github-actions[bot] wrote this answer on 2023-02-24
0

Hi there @retzero 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo wrote this answer on 2023-02-24
0

Hi @retzero

Please provide your complete Github Actions YAML workflow. That error is coming from GitHub Actions, not gcloud or auth. Workload Identity relies on GitHub Actions minting a token. The token minter is returning an error saying the job is already finished (and therefore refusing to mint a token).

retzero wrote this answer on 2023-02-24
0

Thank you @sethvargo for the prompt response.

This is what I want to configure...

image

The token minter is returning an error saying the job is already finished (and therefore refusing to mint a token).

Yes. I also think if the GHA workflows finished the token cannot be used.
Isn't there any workaround or configurations to do this kind of job?

FYI, I'm using our GitHub Enterperse Server version.

sethvargo wrote this answer on 2023-02-24
0

Yes, this is working as intended. The GitHub token is invalidated once the run finishes.

More Details About Repo
Owner Name google-github-actions
Repo Name auth
Full Name google-github-actions/auth
Language TypeScript
Created Date 2021-09-16
Updated Date 2023-03-24
Star Count 573
Watcher Count 16
Fork Count 116
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date

Popular Frameworks
Programming Languages

Copyright © Codesti | Contact