google-github-actions / auth

A GitHub Action for authenticating to Google Cloud.
https://cloud.google.com/iam
Apache License 2.0
968 stars 207 forks source link

A request regarding inter-project authentication #366

Closed skikkh closed 11 months ago

skikkh commented 11 months ago

TL;DR

Currently, when granting permissions of Project B to Project A using Direct Workload Identity Federation, it is necessary to enable the API of the relevant resource in Project A when assigning a role in Project B. This is the current specification.

In Terraform, this can be addressed by setting user_project_override to true for each project. However, I do not want to handle this for each project individually.

I would like to request a change in the specification so that Project A can call the APIs of each project directly, or alternatively, add this as an optional feature.

Detailed design

No response

Additional information

No response

github-actions[bot] commented 11 months ago

Hi there @skikkh :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo commented 11 months ago

Hi @skikkh - thank you for opening an issue. User Project Override is a feature of the calling library/tool (Terraform, gcloud, Python SDK); there's nothing we can do in the auth action to force downstream libraries/tools to add the X-Goog-User-Project header.