search

google-github-actions / auth

A GitHub Action for authenticating to Google Cloud.
https://cloud.google.com/iam
Apache License 2.0
969 stars 196 forks source link

Add support to include a `request_reason` with the `X-Goog-Request-Reason` system parameter header #412

Closed joaopenteado closed 6 months ago

joaopenteado commented 6 months ago

TL;DR

It would be very useful for auditing and tracking if we were able to specify a request_reason input paramater that is included with every API request in the X-Goog-Request-Reason.

Users would also be able to dynamically generate this parameter based on the context of the workflow run or outputs from previous steps.

Detailed design

uses: 'google-github-actions/auth@v2'
with:
  project_id: 'my-project'
  workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
  request_reason: 'foo'

Additional information

Additional discussion points

Should a default request_reason be provided if none is supplied by the user?

I often like to include the GitHub actions run/job URL and I think it's a reasonable default, but other might differ.

uses: 'google-github-actions/auth@v2'
with:
  project_id: 'my-project'
  workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
  request_reason: 'https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/jobs/${{ github.job }}'
github-actions[bot] commented 6 months ago

Hi there @joaopenteado :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo commented 6 months ago

Hi @joaopenteado thanks for opening an issue. This is interesting. Which API call(s) do you think would benefit from having this header? I'm also not sure if that header applies to the sts endpoint (which is inherently unauthenticated).

joaopenteado commented 6 months ago

Hi @sethvargo! Thanks for getting back to me.

I haven't had the time to test this specifically with the STS or IAM Credentials API yet, but it should work according to the documentation.

These parameters are available across all Google REST APIs and gRPC APIs. A system parameter can be specified either using an HTTP query parameter or an HTTP header.

It's worth noting that this feature is available on the Google Terraform provider through the similarly named request_reason configuration parameter or the CLOUDSDK_CORE_REQUEST_REASON environment variable.