search

google-github-actions / auth

A GitHub Action for authenticating to Google Cloud.
https://cloud.google.com/iam
Apache License 2.0
953 stars 195 forks source link

workload identity + token_format #254

Closed so-jelly closed 1 year ago

so-jelly commented 1 year ago

TL;DR

i want to authenticate with workload identity and create an oauth token to be used by other steps. currently, the credentials file created when using workload identity is created with the 'external_account' type.

Expected behavior

setting token_format: "access_token" will produce a credentials file of type: 'authorized_user'.

Observed behavior

the credentials files is created with type: external_account

Action YAML

name: build

on:
  push:
  pull_request:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        id: checkout
        uses: actions/checkout@v2

      - name: Set up JDK 11
        uses: actions/setup-java@v2
        with:
          java-version: "11"
          distribution: "adopt"

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v1"
        with:
          workload_identity_provider: "${{ secrets['WI_PROVIDER'] }}"
          service_account: "${{ secrets['WI_SA'] }}"
          token_format: "access_token" # we want an oauth token

      - name: Maven Build and Deploy
        run: mvn install # needs access to cloud sql, etc... using application default credentials, but doesn't know about workload identity

Log output

spring.cloud.gcp.pubsub.credentials.*) should be used if your app uses services that require credentials. trace_id= span_id= trace_flags= 
2023-01-11T21:58:03.7590302Z java.io.IOException: Error reading credential file from environment variable GOOGLE_APPLICATION_CREDENTIALS, value '/home/runner/work/foo/bar/gha-creds-b41be974044447ad.json': Error reading credentials from stream, 'type' value 'external_account' not recognized. Expecting 'authorized_user' or 'service_account'.

Additional information

using spring boot, needs access to cloud mysql, pubsub, datastore

github-actions[bot] commented 1 year ago

Hi there @so-jelly :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo commented 1 year ago

Hi @so-jelly

Sorry, I'm not sure I understand your question. The JSON file created for Workload Identity Federation will always be "external account" - that's the definition of Workload Identity Federation. The token parameter controls whether an oauth access token or an id token is minted in addition to the authentication. If you specify a value for token, then you can retrieve the token in subsequent steps via an output.

In this case, you will need to work with the authors of the dependency which is throwing that error to add support for Workload Identity Federation.