Closed GregoireW closed 3 years ago
jonjohnsonjr
commented
3 years ago You should be able to set GOOGLE_APPLICATION_CREDENTIALS to an appropriate configuration file as per https://cloud.google.com/iam/docs/access-resources-oidc#generate-automatic
Some tools might need to be updated to support this, e.g. the newest docker-credential-gcr release should have a recent enough version of golang.org/x/oauth2/google to work (let me know if it doesn't work as expected).
sethvargo
commented
3 years ago Hi @GregoireW - thank you for opening an issue. The ability to pass access tokens to the Cloud SDK and other client libraries via an environment variable/flag is still being developed. As @jonjohnsonjr you can set GOOGLE_APPLICATION_CREDENTIALS to a configuration file and gcloud will do the access token dance, but there's no current way to give an access token directly to gcloud.
Let me know if you have further questions!
GregoireW
commented
3 years ago @sethvargo @jonjohnsonjr I think I'm becoming blind as I miss the generate-automatic thing which seems to be promising for my use case.
I try to follow the step, there is some type I think ( or there is option not available yet)
In the gcloud doc there is https://cloud.google.com/iam/docs/workload-identity-federation#impersonation
The policy binding is linked to the pool, not the provider, so the readme.MD stating
gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_PROVIDER_ID}/*"
is wrong.
Also I have hard time to make thing work with repository.
As repository are in the format org/name, I'm not sure if it is possible to map directly this key and use a suffix like /attribute.repo/my-org/my-repo
I try to map attribute with attribute.repo=assertion.repository.extract("/{repo}") but no luck. Is it possible to have an example on how to do this mapping ?
Thank you
sethvargo
commented
3 years ago Hi @GregoireW
I updated the README instructions to be a bit clearer (hopefully). You were right that there was a bug in one of the commands.
As repository are in the format org/name, I'm not sure if it is possible to map directly this key and use a suffix like /attribute.repo/my-org/my-repo
It's possible - I just verified. However, you could also set an attribute on pool admission (instead of at permission mapping time) using a more complex CEL expression if you'd like.
I have an example in the readme, but it's just attribute.repository=username/repo.
GregoireW
commented
3 years ago Hello,
I created a PR to add a feature creating GOOGLE_APPLICATION_CREDENTIALS but I got some issues. As I have multiple and some I'm not sure were they come from, (and @jonjohnsonjr you write I can let you know if there is issues :D ) I write them all here.
First of all, It is funny but the doc seems to change a lot theses days. Doc I had yesterday are not available today.
My issue yesterday was with the id_token. I miss read the return status which was 400 and not 403. I created a PR with some change and on it, I added a control to write an error if id_token is asked and you do not give idTokenAudience. (so good news, it is working now)
next, a funny thing: on the cloud console (and I guess with gcloud command, but I did not test) you can ask for a json file with a format type txt
It give you a json file with a credential source type txt except.... libraries use text... Go lib and java lib for instance, So I guess the file generation need to be updated. I choose to implement "text" in the PR I created.
Speaking of java library: there is a small issue here Even if we use text, the subject_token_field_name attribute is mandatory... (but not used, I tested with random value, it is ok)
I plan to use this for pushing artifact to GAR for instance.
Note: If I update manually some dependencies, it is working so when all this little thing will be fix, it will be a good news for me
sethvargo
commented
3 years ago To push to GCR or AR, you need to configure Docker to use the generated access token, for example:
jobs:
run:
# ...
# Add "id-token" with the intended permissions.
permissions:
id-token: write
contents: read
steps:
- id: 'google-cloud-auth'
name: 'Authenticate to Google Cloud'
uses: 'sethvargo/oidc-auth-google-cloud@v0.2.0'
with:
token_format: 'access_token'
workload_identity_provider: '[REPLACE]'
service_account: '[REPLACE]'
- id: 'docker-login'
run: |-
echo "${{ steps.google-cloud-auth.outputs.access_token }}" | docker login -u oauth2accesstoken --password-stdin https://[REGION]-docker.pkg.devfor the docker it was what I did to test and there is no problem with that. I just have issue to scale this solution on all my build. It is easier to setup the action and let everything the same in the build.
I answer myself on some issue I raise earlier:
For gcloud it is OK : it is not with gcloud auth activate-service-account but with gcloud auth --cred-file we need to register the file ( well that counter intuitive and why ???? )
Once gcloud work, the other issue are easier to manage as the process in library is to use GOOGLE_APPLICATION_CREDENTIALS and if it fails, use gcloud authentication. So even if the librairies are not up to date, there is a warning (json invalid. .) but in the end, it works.
On the update part, should I open issue on each project or did you take care of this ?
Again thank you for this process as it solves one of my biggest issue
sethvargo
commented
3 years ago Hi @GregoireW
We're going to update all the actions once GitHub announces this feature is stable. For now, GitHub is still updating the APIs.
fleroux514
commented
2 years ago You should be able to set
GOOGLE_APPLICATION_CREDENTIALSto an appropriate configuration file as per https://cloud.google.com/iam/docs/access-resources-oidc#generate-automaticSome tools might need to be updated to support this, e.g. the newest
docker-credential-gcrrelease should have a recent enough version of golang.org/x/oauth2/google to work (let me know if it doesn't work as expected).
Hi, I had the same question in order to know how to authenticate to the Google maven artifact registry using the gradle plugin.
The link https://cloud.google.com/iam/docs/access-resources-oidc#generate-automatic now redirects to https://cloud.google.com/iam/docs/configuring-workload-identity-federation#oidc and I can't seem to find the info on how to set GOOGLE_APPLICATION_CREDENTIALS to an appropriate configuration file.
Thanks
It feels like it is more a discussion than an issue but as there are not enable I open this issue.
This process is a great way to get access token, but google helpers (from docker credentials helpers, library helpers, ... ) will use GOOGLE_APPLICATION_CREDENTIALS or call gcloud to get an access token.
Is there a way to use this access token in a transparent way with those helpers? (like a GOOGLE_APPLICATION_ACCESS_TOKEN env variable)
Thank you