Closed olivers-xaxis closed 10 months ago
github-actions[bot]
commented
11 months ago Hi there @olivers-xaxis :wave:!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
sethvargo
commented
11 months ago Hi @olivers-xaxis - please provide the debug logs or error message(s) you're getting.
Step 6 of the WIF via Service Account in the readme shows github actions workflow yaml that only has the pool ID. I could not get that to work, I had to add the service account line using the service_account attribute. This should be added.
The code block is demonstrating where you set the workload_identity_provider value; it is not meant to be a copy-pasteable example, since there are many required and optional parameters which are documented above. However, I'll add service_account since it's required in this case. However, there are other fields like project_id which may be conditionally required, which is explained above.
Also, I could not get Direct WIF (preferred) to work.
Do you have more information? Debug logs? Error messages?
olivers-xaxis
commented
11 months ago Sure I should be able to do that Friday
olivers-xaxis
commented
11 months ago OK so I investigated the failure I was getting. When I did it again, knowing more now than I did then, your steps worked.
HOWEVER I think we can do better on the last step of the Direct method (normally I'd be happy to submit a PR but I'm still too new to GCP -- 95% of my cloud years are in AWS). OIDC should be made as easy to setup as possible, leading to a safer web. I have setup OIDC for github in AWS very easily in the past, but being new to GCP IAM I used the console. The latest version has a Grant Access on the Pool page where you can specify the repository to match, and the service account to assume when the repo matches. I think this corresponds to the last step, but the binding would be on the service account to the pool and assertion.repo. So something like showing
gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_EMAIL \
--project="${PROJECT_ID}" \
--role roles/iam.workloadIdentityPoolUser \
--member workload-identity-pool/POOL_NAME/LOCATION/POOL_ID/attribute.repository/ORG_NAME/REPO_NAMEAFAIK, if I'm setting up a brand new service account to be used with a brand new pool, I will absolutely need to do the above.
sethvargo
commented
11 months ago Sorry, I'm not following. Do you have screenshots of what you're seeing on the console? Please note that this repo does not intend to be an authoritative source for Google Cloud documentation. We provide a few key user journeys. Advanced configuration options and general instructions for OIDC/WIF are at: https://cloud.google.com/iam/docs/workload-identity-federation
olivers-xaxis
commented
11 months ago How about I submit a PR, it will be easier for you to see what I mean. You can adjust further if I say anything wrong.
sethvargo
commented
11 months ago Sure, sg.
sethvargo
commented
11 months ago Hey @olivers-xaxis - did you have a chance to look into this yet?
TL;DR
Step 6 of the WIF via Service Account in the readme shows github actions workflow yaml that only has the pool ID. I could not get that to work, I had to add the service account line using the
service_accountattribute. This should be added.Also, I could not get Direct WIF (preferred) to work.
Expected behavior
Code copy from direct method, after replacing placeholders, should work out of the box
Observed behavior
It does not work, for both the WIF methods. I got the 2nd WIF method to work by adding the service account ID to the with clause.
Action YAML
Log output
No response
Additional information
No response