WorkloadIDentityPoolProvider ID error message on create-oidc is dubious at best.

[DRpandaMD]

TL;DR

Could be bug could be user error. Basically I format my bash command with my entries instead of the samples and I am getting error messages that are unclear what is wrong and what exactly reserved by google.

Expected behavior

As Per the docs I expected this gcloud command to run so that I can continue on with my life.

See https://github.com/google-github-actions/auth?tab=readme-ov-file#preferred-direct-workload-identity-federation

As a sample here is what I have entered into my Google Cloud Shell

## Works as expected
gcloud iam workload-identity-pools create "drpandamd-gh" \
  --project="cloud-devops-viking-test-area" \
  --location="global" \
  --display-name="drpandamd-gh-actions pool"

## Returns the value as expected
gcloud iam workload-identity-pools describe "drpandamd-gh" \
  --project="cloud-devops-viking-test-area" \
  --location="global" \
  --format="value(name)"

## The problem child
gcloud iam workload-identity-pools providers create-oidc "gcp-python-tornado-gh-actions" \
  --project="cloud-devops-viking-test-area" \
  --location="global" \
  --workload-identity-pool="drpandamd-gh" \
  --display-name="My GitHub repo Provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
  --issuer-uri="https://token.actions.githubusercontent.com"

This last command returns 'ERROR: (gcloud.iam.workload-identity-pools.providers.create-oidc) INVALID_ARGUMENT: Invalid WorkloadIdentityPoolProvider ID. The given ID is reserved for use by Google.'

Observed behavior

ERROR: (gcloud.iam.workload-identity-pools.providers.create-oidc) INVALID_ARGUMENT: Invalid WorkloadIdentityPoolProvider ID. The given ID is reserved for use by Google.

Based on the section above, I believe its clear I have goofed somewhere. But the error messaging isn't clear as to what exactly is reserved or what it didn't like. Its also not clear what and where exactly WorkloadIdentityPoolProvider ID is coming from.

Is that part of the flag --workload-identity-pool='drpandamd-gh?

PRE-EDIT NOTE!!:

I changed the last bit of this command to now look like this:

gcloud iam workload-identity-pools providers create-oidc "python-tornado-ghactions" \
  --project="cloud-devops-viking-test-area" \
  --location="global" \
  --workload-identity-pool="drpandamd-gh" \
  --display-name="My GitHub repo Provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
  --issuer-uri="https://token.actions.githubusercontent.com"

So I believe the issue was in the first part of the create-odic "{THIS IS THE ID}": where I had gcp in the start of that name (ID). So it looks like its looking for some set of key words and then flags it and rejects the command and throws the error message.

It would be super nice to have that "gotcha" included in the docs here on GitHub and the big docs on the main GCP docs page.

Oh and if possible have the CLI team add response that is bit more verbose

Action YAML

# First Pass at building a CI/CD pipline using Github Actions
name: Build and Deploy to Cloud Run

## NOT USED !!

on:
  push:
    branches: [ "*" ]
  pull_request:
    branches: [ "*" ]

jobs:
  build-deploy:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v3

    - name: Set Up Google Cloud SDK
    # - name: Build the Docker image
    #   run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

Log output

No response

Additional information

This GH bug reporting wall acted as coding rubber duck and I just stumbled across the answer just by trying to explain the problem. However, I am leaving this all here in hopes that the docs do get updated with a bit more descriptive oomph in there. Surely I can't be only person who has unknowingly used a reserved ID key word with out knowing it right?

[github-actions[bot]]

Hi there @DRpandaMD :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @DRpandaMD

Thank you for opening an issue. I believe that error is correct. As noted in the official WIF documentation:

Note: The prefix gcp- is reserved and can't be used in a pool or provider ID.

You are trying to create a provider named "gcp-python-tornado-gh-actions", but WIF providers cannot be prefixed with "gcp-".

I'll bring this up with the server team to return a more useful error message.