Open bravous opened 1 year ago
Here is a similar use case:
We use https://github.com/google-github-actions/auth specifically with Workload Identity Federation in GitHub workflow to push/pull Maven packages. The action will generate a credential file and set GOOGLE_APPLICATION_CREDENTIALS. But the Maven wagon doesn't recognize the credential.
Sample error:
[INFO] ArtifactRegistry Maven Wagon: Retrieving credentials...
[INFO] Trying Application Default Credentials...
[INFO] Failed to retrieve Application Default Credentials: Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/lumberjack/lumberjack/gha-creds-9431c[36](https://github.com/abcxyz/lumberjack/actions/runs/3441184277/jobs/5740460984#step:5:37)ab7cdf0f2.json': Error reading credentials from stream, 'type' value 'external_account' not recognized. Expecting 'authorized_user' or 'service_account'.
We ran into the same issue. It appears the original issue regarding "subject_token_field_name must be set" was fixed by this: https://github.com/googleapis/google-auth-library-java/issues/815
So updating to latest version of the dependency google-auth-library-oauth2-http should fix the issue in this project.
When using workload federation it seems that the artifact wagon implementation is not able to use the credential config.
For instance when I do the following in a bitbucket pipeline (gcloud is not available) it fails:
I get the following error: _When specifying a JSON credential type, the subject_token_fieldname must be set.
However when if install the
gcloud
command line, everything works fine. I would expect that maven should be able to work without thegcloud
command line tool being available and by itself.