google-github-actions / auth

A GitHub Action for authenticating to Google Cloud.
https://cloud.google.com/iam
Apache License 2.0
968 stars 207 forks source link

v2 Breaking Change #360

Closed JoleneSF closed 12 months ago

JoleneSF commented 1 year ago

TL;DR

This action fails now after working a few days ago. The error tells to upgrade to v2, and no documentation indicates changes required. However, the upgrade breaks the action workflow.

Expected behavior

Two possible options are expected for me:

  1. The auth works as before.
  2. The documentation, changelog, or release notes indicate what needs to be done to fix the breaking change.

Observed behavior

The original action YAML:

name: Build and Plan Development

on:
  push:
    branches: [ trunk ]

jobs:
  build_push_dev:
    name: Build Dev
    needs: [ identify ]
    runs-on: ubuntu-latest
    environment: dev
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
    - run: npm ci
    - name: Authenticate with Google Cloud
      id: auth_dev
      uses: google-github-actions/auth@v0
      with:
        token_format: access_token
        workload_identity_provider: projects/12345/locations/global/workloadIdentityPools/github-actions/providers/github-actions
        service_account: ABCDEFG@foo.iam.gserviceaccount.com
        access_token_lifetime: 300s

Results in the following output:

# Run google-github-actions/auth@v0
  with:
    token_format: access_token
    workload_identity_provider: projects/12345/locations/global/workloadIdentityPools/github-actions/providers/github-actions
    service_account: ABCDEFG@foo.iam.gserviceaccount.com
    access_token_lifetime: 300s
    create_credentials_file: true
    export_environment_variables: true
    cleanup_credentials: true
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    retries: 0
    id_token_include_email: false
Error: The v0 series of google-github-actions/auth is no longer maintained. It will not receive updates, improvements, or security patches. Please upgrade to the latest supported versions: 

    https://github.com/google-github-actions/auth
Created credentials file at "/home/runner/work/tideswell/tideswell/gha-creds-b2edbfb028811c8f.json"
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to generate Google Cloud access token for ABCDEFG@foo.iam.gserviceaccount.com: (403) {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

The upgraded action with google-github-actions/auth@v2 is shown below, along with the new (current) log output.

Action YAML

name: Build and Plan Development

on:
  push:
    branches: [ trunk ]

jobs:
  build_push_dev:
    name: Build Dev
    needs: [ identify ]
    runs-on: ubuntu-latest
    environment: dev
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
    - run: npm ci
    - name: Authenticate with Google Cloud
      id: auth_dev
      uses: google-github-actions/auth@v2
      with:
        token_format: access_token
        workload_identity_provider: projects/12345/locations/global/workloadIdentityPools/github-actions/providers/github-actions
        service_account: ABCDEFG@foo.iam.gserviceaccount.com
        access_token_lifetime: 300s

Log output

Error: google-github-actions/auth failed with: retry function failed after 4 attempts: failed to generate Google Cloud OAuth 2.0 Access Token for ABCDEFG@foo.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

Additional information

No response

github-actions[bot] commented 1 year ago

Hi there @JoleneSF :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

nheimann1 commented 1 year ago

Hi @JoleneSF

By looking at the docs it seems you should change the actions/checkout@v3 to actions/checkout@v4

Have you tried that?

image

sethvargo commented 1 year ago

Hi @nheimann1

Thank you for opening an issue. The only change between 0.8.3 and 0.9.0 is the addition of the message that v0 is deprecated: https://github.com/google-github-actions/auth/compare/v0.8.3...v0.9.0

The error message from the original action.yml indicates there's a misconfiguration with your Workload Identity. Please see the Troubleshooting guide. If none of those steps address your issue, please include your complete action.yml and debug logs. Please do not sanitize or filter the logs.

I see the same error message in @v2, so I don't think this is related to changes in google-github-actions/auth. It appears a configuration may have changed that is causing the authentication to fail.

thanhnguyen612 commented 1 year ago

Hi @sethvargo I got the same issue when upgrading from v0 to v2. I already read and follow https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md, but it's still failed. My pipeline worked well before upgrading. Please check.

image

deploy script as below

...
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: 'Authenticate to Google Cloud'
        id: auth
        uses: 'google-github-actions/auth@v2'
        with:
          token_format: 'access_token'
          project_id: 'my_project_id'
          workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/MY_POOL_NAME/providers/MY_PROVIDER_NAME'
          service_account: 'my_service_account'
thanhnguyen612 commented 1 year ago

Hi @sethvargo ,

I have sent debug logs via email google-github-actions@google.com Please help to check. Tks.

curtis-baillie commented 12 months ago

Thanks @JoleneSF for opening this issue! We had the same deprecation error: Error: The v0 series of google-github-actions/auth is no longer maintained. We upgraded from v0 to v1 and that fixed it for us 😃

JoleneSF commented 12 months ago

Thanks for all the responses! I'll try to get back to them chronologically:

nheimann1

By looking at the docs it seems you should change the actions/checkout@v3 to actions/checkout@v4

Yes, I did this just now and have the same 403 error.

sethvargo

The error message from the original action.yml indicates there's a misconfiguration with your Workload Identity. Please see the Troubleshooting guide. If none of those steps address your issue, please include your complete action.yml and debug logs. Please do not sanitize or filter the logs.

I see the same error message in @v2, so I don't think this is related to changes in google-github-actions/auth. It appears a configuration may have changed that is causing the authentication to fail.

Hmm okay this is a good point I definitely overlooked about the 403 happening at the beginning and thus isn't likely to be because of the v2 change. Nothing on my end changed with GCP or Workload Identity and it was working. The only thing changing when it stopped working is this action bumped to v2 and required upgrading. So I guess I'll need to dig into the Troubleshooting guide as you say and I'll report back.

curtis-baillie

We had the same deprecation error: Error: The v0 series of google-github-actions/auth is no longer maintained. We upgraded from v0 to v1 and that fixed it for us 😃

Sounds good! My main issue is the new 403 error from the auth action, not the version bump error (which I have resolved).

JoleneSF commented 12 months ago

✅ OKAY I apologize, but I figured out the problem. It actually was the GCP configuration on my side.

I actually wasn't added as an authorized attribute.actor in the attribute mappings. We never saw it before because another person would do PR merges, and this error was the first time I had actually merged a PR in this repository. So the v0 to v2 change requirement was just a super coincidental red herring.

sethvargo commented 12 months ago

Hi @JoleneSF - I'm glad you got it sorted out.

@curtis-baillie - it's not an error, it's a log message at the error level. If your GitHub Action is exiting successfully, then you'll see log message, but the GitHub Action will still succeed.

@thanhnguyen612 - are you saying that the exact same workflow succeeds with @v0 but fails with @v2? If so, can you please provide the complete workflow YAML file?

curtis-baillie commented 12 months ago

@curtis-baillie - it's not an error, it's a log message at the error level. If your GitHub Action is exiting successfully, then you'll see log message, but the GitHub Action will still succeed.

Oh, interesting - I'll have to dig in further to the GHA. It was failing the workflow, and as soon as we changed to @v1 it succeeded again. Thanks for the follow up!

thanhnguyen612 commented 12 months ago

Hi @sethvargo , I realized that my mistake in changing some terraform code caused our service account to lack permission to get access token from the workload identity pool.

Thanks for your help and sorry.

sethvargo commented 12 months ago

Sounds good. Thank you for confirming. Since both @thanhnguyen612 and @JoleneSF issues have been resolved as unrelated to the v2 change, I am going to close this issue. Please open a new issue if you have further questions.