google-github-actions/auth@v1 works but v2 doesn't

[josekasna]

TL;DR

google-github-actions/auth@v1 works but v2 fails with:

"{"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}

Expected behavior

Run google-github-actions/auth@v2 Created credentials file at "/home/runner/work/blah/blah/gha-creds-74181985507fbc95.json"

Observed behavior

Error: google-github-actions/auth failed with: retry function failed after 4 attempts: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/388216187562/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}

Action YAML

name: Backup snapshot
on:
  schedule:
    # Every day at 4:20 AM AEST
    - cron: "20 18 * * *"
  push:
    branches:
      - development
      - main
    paths:
      - .github/workflows/backup-snapshot.yml

jobs:
  backup:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        project:

          - projectd
          - projectc
          - projectb
          #- projecta
          #- projectc-v2
          - projectb-v2

        exclude:
          # Exclude backing up staging and dev projects when running on Org1
          # organization. This will work because the excluded project will evaluate
          # to empty string branch expression evaluates to `false`
          - project: ${{ github.repository_owner == 'Org1' && 'projectc' || '' }}
          - project: ${{ github.repository_owner == 'Org1' && 'projectb' || '' }}

          # Exclude backing up production project when running on Org1
          # organization. This will work because the excluded project will evaluate
          # to empty string branch expression evaluates to `false`
          - project: ${{ github.repository_owner == 'OrgA' && 'projectd' || '' }}
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:

      # Need to check out code to get firebase config
      - uses: actions/checkout@v3

      - uses: actions/setup-node@v3
        with:
          node-version: 18
          cache: 'yarn'
          cache-dependency-path: |
            functions/yarn.lock
            functions-ts/yarn.lock
            web-app/yarn.lock

      # yarn global add firebase-tools@latest
      # Changing to last version that worked
      - name: Install global NPM tools
        run: |
          yarn global add firebase-tools@12.9.1
          firebase --version

      ###############
      ## START: PROJECT SPECIFICS

      - if: matrix.project == 'projecta'
        run: |
          echo "BACKUP_SERVICE_ACCOUNT=backups@projecta.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-ejuyf@projecta.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-ejuyf@projecta.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/674656007155/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      - if: matrix.project == 'projectd'
        run: |
          echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_DEFIPLATFORM }}" >> $GITHUB_ENV
          echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_DEFIPLATFORM }}" >> $GITHUB_ENV
          echo "BACKUP_SERVICE_ACCOUNT=backups@projectd.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-tools@projectd.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-g54tc@projectd.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/857213089688/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      - if: matrix.project == 'projectc-v2'
        run: |
          echo "BACKUP_SERVICE_ACCOUNT=backups@projectc-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-71xxo@projectc-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-71xxo@projectc-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/398450691122/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      - if: matrix.project == 'projectc'
        run: |
          echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_projectc }}" >> $GITHUB_ENV
          echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_projectc }}" >> $GITHUB_ENV
          echo "BACKUP_SERVICE_ACCOUNT=backup@projectc.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-tools-787@projectc.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-boji7@projectc.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/320854465469/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      - if: matrix.project == 'defiplatformsandbox'
        run: |
          echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_projectc }}" >> $GITHUB_ENV
          echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_projectc }}" >> $GITHUB_ENV
          echo "BACKUP_SERVICE_ACCOUNT=backups@defiplatformsandbox.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-2sa3v@defiplatformsandbox.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-2sa3v@defiplatformsandbox.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/282426236812/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      - if: matrix.project == 'projectb'
        run: |
          echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_projectb }}" >> $GITHUB_ENV
          echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_projectb }}" >> $GITHUB_ENV
          echo "BACKUP_SERVICE_ACCOUNT=backups@projectb.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-aww8h@projectb.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-aww8h@projectb.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/140165331335/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      - if: matrix.project == 'projectb-v2'
        run: |
          echo "BACKUP_SERVICE_ACCOUNT=backups@projectb-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-e0dxp@projectb-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-e0dxp@projectb-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
          echo "WORKLOAD_IDENTITY_PROVIDER=projects/388216187562/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV

      ## END: PROJECT SPECIFICS
      #########################
      - id: auth
        name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          create_credentials_file: 'true'
          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ env.FIREBASE_SERVICE_ACCOUNT }}
          project_id: ${{ matrix.project }}

      - name: Set up gcloud Cloud SDK environment
        uses: google-github-actions/setup-gcloud@v2
        with:
          version: '>= 363.0.0'
          project_id: ${{ matrix.project }}
          #service_account_key: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}

      - name: Show configuration
        run: gcloud config list

      # The variable `SA_FIREBASE` must be a base64 encoded string
      # of the service account JSON to avoid problems with quote escaping and
      # conversion of '\n' characters generating invalid JSON
      #- name: Set service account for Firebase CLI
      #  run: |
      #    echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/service_account.json" >> $GITHUB_ENV
      #    echo ${{ env.SA_FIREBASE }} | base64 -d - > service_account.json

      ##########################################################################
      ## BACKUP FIRESTORE

      # Turns out that rm -rf fails with error if there are no files
      # Which is inconvenient since sometimes if a job fails, we end up
      # in states where we can't re-run a job if it has previously failed.
      - name: Add dummy file to bucket so that rm -rf doesn't fail
        run: |
          touch dummy.txt
          gsutil -m cp dummy.txt gs://${{ matrix.project }}-backups/firestore/__snapshot__/

      - name: Remove previous snapshot backup
        run: gsutil -m rm -rfa gs://${{ matrix.project }}-backups/firestore/__snapshot__

      - name: Export Firestore to Cloud Storage bucket
        run: gcloud firestore export gs://${{ matrix.project }}-backups/firestore/__snapshot__ --async

      ##########################################################################
      ## BACKUP AUTH
      - run: firebase --debug use ${{ matrix.project }}

      - run: firebase auth:export __snapshot__.json

#      - id: authBkp
#        name: Authenticate to Google Cloud with Backup SA
#        uses: google-github-actions/auth@v1
#        with:
#          create_credentials_file: 'true'
#          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
#          service_account: ${{ env.BACKUP_SERVICE_ACCOUNT }}
#          project_id: ${{ matrix.project }}

      - name: Upload to Cloud Storage Bucket
        run: gsutil -m cp __snapshot__.json gs://${{ matrix.project }}-backups/auth/__snapshot__.json

      ##########################################################################
      ## BACKUP RTDB

      - name: Download RTDB data
        run: firebase database:get --output __snapshot__.json /

      # Make sure your backup bucket is named: {project-id}-backups
      - name: Upload to Cloud Storage Bucket
        run: gsutil -m cp __snapshot__.json gs://${{ matrix.project }}-backups/rtdb/__snapshot__.json

      ##########################################################################
      ## BACKUP STORAGE
      ##
      ## Make sure to adjust this step if you are having more than just the
      ## default bucket named: {project-id}.appspot.com

      # Using rsync for delta updates of the backup
      # https://cloud.google.com/storage/docs/gsutil/commands/rsync
      - name: Sync storage bucket with backup
        run: >-
          gsutil -m
          rsync -r -d
          gs://${{ matrix.project }}.appspot.com
          gs://${{ matrix.project }}-backups/storage/__snapshot__/${{ matrix.bucket }}/

Log output

Error: google-github-actions/auth failed with: retry function failed after 4 attempts: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/388216087510/locations/global/workloadIdentityPools/fame-identity-pool/providers/-fame-identity-pool-gh-provider: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
##[debug]Node Action run completed with exit code 1
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json
##[debug]Set output project_id = projectb-v2
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json
##[debug]Set output project_id = projectb-v2
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json
##[debug]Set output project_id = projectb-v2
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json
##[debug]Set output project_id = projectb-v2
##[debug]Finishing: Authenticate to Google Cloud

Additional information

Can share the full debug logs on a safely manner (e-mail?)

I've anonymised some details in the YAML file, but the original structure is the same. Ok to share it over a safer place too.

I can also share the working v1 logs.

Cheers.

[github-actions[bot]]

Hi there @josekasna :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @josekasna - you can find instructions for sharing the complete logs and YAML files in the TROUBLESHOOTING guide. Do you have a smaller/shorter action.yml that reproduces the issue?

[josekasna]

Hi @sethvargo , thanks for the quick response. The full YAML is already here, just a bit anonymised. I did just sent the original one + logs to the referred e-mail.

Let me know if that's enough or if you want me to create a new one that's shorter, I can test it out as well.

Cheers!

[josekasna]

While reviewing it here, but I don't know the internals of the auth action:

noticed we are using actions/checkout@v3 while the docs mention Run actions/checkout@v4 ?

Could that be a problem ?

Thanks!

[josekasna]

I think this may less to do with the action, but more to do with the Workload Identity Federation config side of things.

I noticed a change, where, you could "Grant access" => "CONNECTED SERVICE ACCOUNTS" and would select "all users from the pool" and now, it seems, svc account needs filter at their level and I may be missing a mandatory attribute in that ?

Will copy from the provider's config and try again.

[josekasna]

This "Entire Pool" used to be there, but it's not anymore (this is from a previous environment where the setup was done).

I'll close this for now until I can make sure the environments configs between the working and not working actions are the same.

Sorry for the confusion.