search

GoogleCloudPlatform / cloud-foundation-fabric

End-to-end modular samples and landing zones toolkit for Terraform on GCP.
Apache License 2.0
1.51k stars 861 forks source link

CICD WIP "connected service accounts" not granted access #1441

Closed kthhrv closed 1 year ago

kthhrv commented 1 year ago

Its appears that stage 0-bootstrap doesn't grant access to the connected service accounts, meaning that the github action doesn't have permission to download the TF output files.

Or maybe I missed a step :)

job failing image

service accounts having nothing granted to them image

if I manually grant "All identities in the pool" to the account image and retry the job it succeeds but removes the perms again so next run fails

here is the relevant part of my 0-bootstrap tfvars

...

federated_identity_providers = {
  github = {
    attribute_condition = "attribute.repository_owner==\"timeoutdigital\""
    issuer              = "github"
    custom_settings     = null
  }
}

cicd_repositories = {
  bootstrap = {
    branch            = null
    identity_provider = "github"
    name              = "timeoutdigital/fast-00-bootstrap"
    type              = "github"
  }
  resman = {
    branch            = "master"
    identity_provider = "github"
    name              = "timeoutdigital/fast-01-resman"
    type              = "github"
  }
}

that was copied from the example at https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/0-bootstrap#workload-identity-federation

I believe this issue also impacts the other stages

thanks

ludoo commented 1 year ago

This would be much quicker in a videocall :) Check permissions on the automation service account for bootstrap (meaning the SA as a resource), there should be a token creator role assigned to the bootstrap CI/CD service account. On the CI/CD service accounts there should be the workload identity role for the principalset matching your repo.

ludoo commented 1 year ago

If you feel like jumping in a call look me up on linkedin and let's troubleshoot this.

kthhrv commented 1 year ago

@ludoo great thanks I'll do that!

ludoo commented 1 year ago

So, let's unravel from the outside:

this should be assigned on your CI/CD SA (the one ending in -1) image

and this on the automation SA (the one ending in -0) image

there's nothing else needed in terms of IAM

kthhrv commented 1 year ago

both are there image image

kthhrv commented 1 year ago

I've requested connection on linkedin, thanks

kthhrv commented 1 year ago

Thanks for helping @ludoo, nice one spotting that terraform.tfvars had timeoutdigital/fast-00-bootstrap but the repo was created as timeoutdigital/fast_00_bootstrap