Unable to setup multiple times with different projects in the same job
This issue has been tracked since 2021-12-04.
TL;DR
I have a workflow that uses google-github-actions/setup-gcloud multiple times, with a different project_id and service_account_key in each. Prior to f38d54f, this workflow worked without issue, but now whichever script is second always fails. The error message suggests that the service account from the first setup run is still in use.
Expected behavior
Each script runs with the credentials defined by whatever project/service account was setup last.
Observed behavior
Both scripts run with the credentials defined by whatever project/service account was setup first (reordering the job steps confirms this).
The second script thus errors with:
ERROR: (gcloud.app.versions.list) User [***@***-prod.iam.gserviceaccount.com] does not have permission to access apps instance [scribeai-test] (or it may not exist): The caller does not have permission
Action YAML
name: Cleanup Versions
on:
schedule:
# Every hour at :05
- cron: '5 * * * *'
workflow_dispatch:
jobs:
Cleanup:
runs-on: ubuntu-latest
steps:
- name: Check out repo
uses: actions/[email protected]
- name: Set up Node
uses: actions/[email protected]
with:
# Keep version in sync wih .nvmrc.
node-version: 15.5.1
- name: Cache node_modules
id: cache-node-modules
uses: actions/[email protected]
with:
path: node-modules-cache
key: ${{ github.workflow }}-node-modules-${{ hashFiles('**/package.json', '**/yarn.lock') }}
- name: Restore node_modules cache
if: steps.cache-node-modules.outputs.cache-hit == 'true'
run: tools/node-modules-cache.sh restore
- name: Install dependencies
run: yarn
- name: Check yarn.lock
run: yarn check-yarn-lock
- name: Save node_modules cache
if: steps.cache-node-modules.outputs.cache-hit != 'true'
run: tools/node-modules-cache.sh save
- name: Set up gcloud (prod)
uses: google-github-actions/[email protected]
with:
export_default_credentials: true
project_id: ***-prod
service_account_key: ${{ secrets.GCP_CREDENTIALS_PROD }}
- name: Cleanup Versions (prod)
run: yarn cleanup-versions --stopUnusedVersions --execute
- name: Set up gcloud (test)
uses: google-github-actions/[email protected]
with:
export_default_credentials: true
project_id: ***-test
service_account_key: ${{ secrets.GCP_CREDENTIALS_TEST }}
- name: Cleanup Versions (test)
run: yarn cleanup-versions --stopUnusedVersions --project scribeai-test --executeAdditional information
I confirmed this is a regression by pinning the commit hash to 94faef2
sethvargo wrote this answer on
2021-12-04
sethvargo wrote this answer on
2021-12-04
@bharathkkb I think I see the problem here. setup-gcloud-sdk prefers the environment variable over a value being given. I think we need to move L216 up to the top to check if a key was given as a value first.
tylerbrandt wrote this answer on
2021-12-04
Here's the logs for the steps that use this action (and their dependencies, where the error actually appears). I can share the rest as well if needed but might need to scrub some stuff. The error occurs in the step after the second invocation of setup-gcloud.
2021-12-02T18:12:57.3041932Z ##[group]Run google-github-actions/[email protected]
2021-12-02T18:12:57.3042739Z with:
2021-12-02T18:12:57.3043396Z export_default_credentials: true
2021-12-02T18:12:57.3044141Z project_id: scribeai-prod
2021-12-02T18:12:57.3067792Z service_account_key: ***
2021-12-02T18:12:57.3068455Z version: latest
2021-12-02T18:12:57.3069130Z cleanup_credentials: true
2021-12-02T18:12:57.3069789Z ##[endgroup]
2021-12-02T18:12:58.5624023Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/ea706e03-eae3-42fe-8098-9bac36116adb -f /home/runner/work/_temp/c9220446-387b-4f37-ba34-c5fbf6df57c6
2021-12-02T18:13:11.6289675Z Successfully set default project
2021-12-02T18:13:11.6302339Z ##[warning]"service_account_key" has been deprecated. Please switch to using google-github-actions/auth which supports both Workload Identity Federation and Service Account Key JSON authentication. For more details, see https://github.com/google-github-actions/setup-gcloud#authorization
2021-12-02T18:13:12.3524555Z Successfully exported Default Application Credentials
2021-12-02T18:13:12.3717633Z ##[group]Run yarn cleanup-versions --stopUnusedVersions --execute
2021-12-02T18:13:12.3718882Z �[36;1myarn cleanup-versions --stopUnusedVersions --execute�[0m
2021-12-02T18:13:12.3799621Z shell: /usr/bin/bash -e ***0***
2021-12-02T18:13:12.3800257Z env:
2021-12-02T18:13:12.3801101Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-12-02T18:13:12.3802076Z GCLOUD_PROJECT: scribeai-prod
2021-12-02T18:13:12.3803099Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/scribeai/scribeai/9c8014ab58d62c6e939d799d
2021-12-02T18:13:12.3804277Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/scribeai/scribeai/9c8014ab58d62c6e939d799d
2021-12-02T18:13:12.3805126Z ##[endgroup]
2021-12-02T18:13:12.5254135Z yarn run v1.22.17
2021-12-02T18:13:12.5651504Z $ /home/runner/work/scribeai/scribeai/node_modules/.bin/cleanup-versions --stopUnusedVersions --execute
2021-12-02T18:13:12.8427362Z Using project: scribeai-prod
2021-12-02T18:13:12.8432178Z In EXECUTE mode
2021-12-02T18:13:12.8433247Z Running with options:
2021-12-02T18:13:12.8434072Z minVersions: 1
2021-12-02T18:13:12.8434937Z stopUnusedVersions: true
2021-12-02T18:13:12.8436154Z threshold: 86400
2021-12-02T18:13:22.7178368Z Default version: main-ffd4bbf: SERVING (last deployed 16:34 ago, 9 active recordings)
2021-12-02T18:13:27.7289570Z main-345bf9a: SERVING (deployed 16:49 ago, 0 active recordings)
2021-12-02T18:13:27.7301653Z main-61a1a08: STOPPED (deployed 17:34 ago, 0 active recordings)
2021-12-02T18:13:32.2592331Z main-147a62d: SERVING (deployed 23:45 ago, 1 active recordings)
2021-12-02T18:13:32.2594363Z main-0b5bdfa: STOPPED (deployed 34:58 ago, 0 active recordings)
2021-12-02T18:13:32.2595604Z Nothing to delete or stop.
2021-12-02T18:13:32.2650285Z Done in 19.74s.
2021-12-02T18:13:32.2802243Z ##[group]Run google-github-actions/[email protected]
2021-12-02T18:13:32.2803072Z with:
2021-12-02T18:13:32.2803739Z export_default_credentials: true
2021-12-02T18:13:32.2804487Z project_id: scribeai-test
2021-12-02T18:13:32.2825018Z service_account_key: ***
2021-12-02T18:13:32.2825700Z version: latest
2021-12-02T18:13:32.2826361Z cleanup_credentials: true
2021-12-02T18:13:32.2827021Z env:
2021-12-02T18:13:32.2827881Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-12-02T18:13:32.2828867Z GCLOUD_PROJECT: scribeai-prod
2021-12-02T18:13:32.2829873Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/scribeai/scribeai/9c8014ab58d62c6e939d799d
2021-12-02T18:13:32.2831081Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/scribeai/scribeai/9c8014ab58d62c6e939d799d
2021-12-02T18:13:32.2831945Z ##[endgroup]
2021-12-02T18:13:33.1501131Z Successfully set default project
2021-12-02T18:13:33.1508522Z ##[warning]"service_account_key" has been deprecated. Please switch to using google-github-actions/auth which supports both Workload Identity Federation and Service Account Key JSON authentication. For more details, see https://github.com/google-github-actions/setup-gcloud#authorization
2021-12-02T18:13:33.8215722Z Successfully exported Default Application Credentials
2021-12-02T18:13:33.8303996Z ##[group]Run yarn cleanup-versions --stopUnusedVersions --project scribeai-test --execute
2021-12-02T18:13:33.8305599Z �[36;1myarn cleanup-versions --stopUnusedVersions --project scribeai-test --execute�[0m
2021-12-02T18:13:33.8347994Z shell: /usr/bin/bash -e ***0***
2021-12-02T18:13:33.8348627Z env:
2021-12-02T18:13:33.8349495Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2021-12-02T18:13:33.8350468Z GCLOUD_PROJECT: scribeai-test
2021-12-02T18:13:33.8351488Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/scribeai/scribeai/cd28c861a1c8047a3bdabceb
2021-12-02T18:13:33.8352703Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/scribeai/scribeai/cd28c861a1c8047a3bdabceb
2021-12-02T18:13:33.8353564Z ##[endgroup]
2021-12-02T18:13:33.9810881Z yarn run v1.22.17
2021-12-02T18:13:34.0208982Z $ /home/runner/work/scribeai/scribeai/node_modules/.bin/cleanup-versions --stopUnusedVersions --project scribeai-test --execute
2021-12-02T18:13:34.2182773Z Using project: scribeai-test
2021-12-02T18:13:34.2186422Z In EXECUTE mode
2021-12-02T18:13:34.2187471Z Running with options:
2021-12-02T18:13:34.2188358Z minVersions: 1
2021-12-02T18:13:34.2189290Z stopUnusedVersions: true
2021-12-02T18:13:34.2198911Z threshold: 86400
2021-12-02T18:13:34.9154636Z ERROR: (gcloud.app.versions.list) User [[email protected]] does not have permission to access apps instance [scribeai-test] (or it may not exist): The caller does not have permission
2021-12-02T18:13:34.9185371Z Error: Command failed: gcloud app versions list --project "scribeai-test" --format=json
2021-12-02T18:13:34.9189901Z ERROR: (gcloud.app.versions.list) User [[email protected]] does not have permission to access apps instance [scribeai-test] (or it may not exist): The caller does not have permission
2021-12-02T18:13:34.9191459Z
2021-12-02T18:13:34.9192366Z at checkExecSyncError (node:child_process:680:11)
2021-12-02T18:13:34.9193473Z at Object.execSync (node:child_process:717:15)
2021-12-02T18:13:34.9194907Z at main (/home/runner/work/scribeai/scribeai/tools/cleanup-versions.js:75:8)
2021-12-02T18:13:34.9196903Z at Object.<anonymous> (/home/runner/work/scribeai/scribeai/tools/cleanup-versions.js:185:3)
2021-12-02T18:13:34.9198205Z at Module._compile (node:internal/modules/cjs/loader:1108:14)
2021-12-02T18:13:34.9199425Z at Object.Module._extensions..js (node:internal/modules/cjs/loader:1137:10)
2021-12-02T18:13:34.9200620Z at Module.load (node:internal/modules/cjs/loader:973:32)
2021-12-02T18:13:34.9201753Z at Function.Module._load (node:internal/modules/cjs/loader:813:14)
2021-12-02T18:13:34.9203165Z at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:76:12)
2021-12-02T18:13:34.9204842Z at node:internal/main/run_main_module:17:47 ***
2021-12-02T18:13:34.9205679Z status: 1,
2021-12-02T18:13:34.9206397Z signal: null,
2021-12-02T18:13:34.9208632Z output: [
2021-12-02T18:13:34.9209191Z null,
2021-12-02T18:13:34.9209771Z <Buffer >,
2021-12-02T18:13:34.9210702Z <Buffer 45 52 52 4f 52 3a 20 28 67 63 6c 6f 75 64 2e 61 70 70 2e 76 65 72 73 69 6f 6e 73 2e 6c 69 73 74 29 20 55 73 65 72 20 5b 64 65 70 6c 6f 79 40 73 63 72 ... 160 more bytes>
2021-12-02T18:13:34.9211466Z ],
2021-12-02T18:13:34.9211994Z pid: 3089,
2021-12-02T18:13:34.9212587Z stdout: <Buffer >,
2021-12-02T18:13:34.9215150Z stderr: <Buffer 45 52 52 4f 52 3a 20 28 67 63 6c 6f 75 64 2e 61 70 70 2e 76 65 72 73 69 6f 6e 73 2e 6c 69 73 74 29 20 55 73 65 72 20 5b 64 65 70 6c 6f 79 40 73 63 72 ... 160 more bytes>
2021-12-02T18:13:34.9216212Z ***
2021-12-02T18:13:34.9323140Z error Command failed with exit code 1.
2021-12-02T18:13:34.9324378Z info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
2021-12-02T18:13:34.9396642Z ##[error]Process completed with exit code 1.
2021-12-02T18:13:34.9471119Z Post job cleanup.
2021-12-02T18:13:34.9968120Z Removed exported credentials at /home/runner/work/scribeai/scribeai/cd28c861a1c8047a3bdabceb
2021-12-02T18:13:35.0067493Z Post job cleanup.
2021-12-02T18:13:35.0566933Z No exported credentials found
2021-12-02T18:13:35.0719301Z Post job cleanup.
yxlao wrote this answer on
2021-12-06
Reporting the same issue. It started to break for us several days ago.
Observation:
- The first
setup-gcloudworks fine with setting up the service accountA. - The second
setup-gcloudattempts to set up service accountB. It runs without error, but the service account remains to beA.
Here is the error screenshot:
Here is how it's used in CI:
https://github.com/isl-org/Open3D/blob/0a49cdf798959197cf6fc6a57e7d60544fef98d5/.github/workflows/ubuntu-wheel.yml#L81-L107
Here is the full log:
https://github.com/isl-org/Open3D/runs/4428198045?check_suite_focus=true
sethvargo wrote this answer on
2021-12-06
This will be fixed when we merge google-github-actions/setup-cloud-sdk#50 and update the dependencies.
More Details About Repo
| Owner Name | google-github-actions |
| Repo Name | setup-gcloud |
| Full Name | google-github-actions/setup-gcloud |
| Language | TypeScript |
| Created Date | 2019-11-05 |
| Updated Date | 2023-03-23 |
| Star Count | 1505 |
| Watcher Count | 65 |
| Fork Count | 548 |
| Issue Count | 11 |
YOU MAY BE INTERESTED
| Issue Title | Created Date | Updated Date |
|---|