search

diggerhq / digger

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️
https://digger.dev
Apache License 2.0
2.87k stars 134 forks source link

GCP authentication issue when bucket for locks is in different project #704

Open motatoes opened 10 months ago

motatoes commented 10 months ago

From user reported:

I'm running digger via Github Actions for an GCP environment, I'm able to authenticate, install gcloud, run the command gcloud storage ls gs://MY_BUCKET, but I'm getting the error when digger tries to lock the repository.

Error 403: my-sa@my-project.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden

I've confirmed that env GOOGLE_STORAGE_BUCKET is configured to MY_BUCKET.... the only difference I see from my dev environment is that storage bucket is not in the same project as the service account has been created but I dont think it should intefere.

thiagonache commented 10 months ago

I've updated the test: 


func TestGoogleStorageLock_NewLock(t *testing.T) {
    SkipCI(t)
    ctx, client := GetGoogleStorageClient()
    defer func(client *storage.Client) {
        err := client.Close()
        if err != nil {
            log.Fatalf("Failed to close Google Storage client: %v", err)
        }
    }(client)

    bucketName := "thiago-carvalho-test"
    fileName := "digger-lock-" + randomString(16)

    bucket := client.Bucket(bucketName)
    lock := GoogleStorageLock{client, bucket, ctx}

    locked, err := lock.Lock(100, fileName)
    assert.NoError(t, err)
    assert.True(t, locked)
}

Made sure I can write the bucekt

Thiagos-MacBook-Pro:gcp thiagonache$ gsutil cp gcp_lock.go gs://thiago-carvalho-test/
Copying file://gcp_lock.go [Content-Type=application/octet-stream]...
- [1 files][  2.2 KiB/  2.2 KiB]                                                
Operation completed over 1 objects/2.2 KiB.

but the test fails with the same message

Thiagos-MacBook-Pro:gcp thiagonache$ go test
2023/10/31 06:50:03 failed to get bucket attributes: googleapi: Error 403: thiago.carvalho@domain.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden
--- FAIL: TestGoogleStorageLock_LockLocked (0.33s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1690606]

goroutine 82 [running]:
testing.tRunner.func1.2({0x174b420, 0x1e913c0})
        /Users/thiagonache/.gvm/gos/go1.21.3/src/testing/testing.go:1545 +0x238
testing.tRunner.func1()
        /Users/thiagonache/.gvm/gos/go1.21.3/src/testing/testing.go:1548 +0x397
panic({0x174b420?, 0x1e913c0?})
        /Users/thiagonache/.gvm/gos/go1.21.3/src/runtime/panic.go:914 +0x21f
digger/pkg/gcp.(*GoogleStorageLock).Lock(0xc00010ff38, 0x1867dbe?, {0xc0004961e0, 0x1c})
        /Users/thiagonache/dev/diggerhq/digger/pkg/gcp/gcp_lock.go:34 +0x366
digger/pkg/gcp.TestGoogleStorageLock_LockLocked(0x0?)
        /Users/thiagonache/dev/diggerhq/digger/pkg/gcp/gcp_lock_test.go:68 +0x287
testing.tRunner(0xc00048b520, 0x18b1b18)
        /Users/thiagonache/.gvm/gos/go1.21.3/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 1
        /Users/thiagonache/.gvm/gos/go1.21.3/src/testing/testing.go:1648 +0x3ad
exit status 2
FAIL    digger/pkg/gcp  1.687s