google-github-actions / auth

A GitHub Action for authenticating to Google Cloud.
https://cloud.google.com/iam
Apache License 2.0
964 stars 196 forks source link

Cannot find request_reason in Cloud Audit Logs #446

Closed threat-punter closed 2 weeks ago

threat-punter commented 1 month ago

TL;DR

I configured this GitHub Action with a request_reason value, but cannot find it in any events in Cloud Audit Logs.

Expected behavior

I set a value for request_reason in my GitHub Actions workflow file and validated that authentication works successfully.

I can't find the request_reason field or the value that I set in any my Cloud Audit Logs. Do you know where this should be logged? Do you have an example query I can use in Logs Explorer to find the events?

https://github.com/google-github-actions/auth/blob/c8788cc4c52eba6566baf085281fec298f1a1146/README.md?plain=1#L287-L291

Observed behavior

Unable to find request_reason or the value that I set in any of my Cloud Audit Logs after the GitHub Action authenticates successfully.

Action YAML

name: Workflow 1

on:
  schedule:
  - cron: "5 23 * * *"

  # workflow_dispatch allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

permissions:
  contents: write
  # 'id-token: write' is required to allow GitHub's OIDC provider to create a JSON Web Token for every run
  id-token: write

jobs:
  pull-latest-content:
    runs-on: ubuntu-latest

    env:
      LOGGING_LEVEL: ${{ vars.LOGGING_LEVEL }}
      GOOGLE_CLOUD_PROJECT_ID: ${{ vars.GOOGLE_CLOUD_PROJECT_ID }}

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GH_PAT }}

      - uses: google-github-actions/auth@v2
        with:
          project_id: ${{ vars.GOOGLE_CLOUD_PROJECT_ID }}
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          access_token_lifetime: 300
          export_environment_variables: true
          create_credentials_file: true
          cleanup_credentials: true
          request_reason: "GitHub Actions - 123456789"


### Log output

_No response_

### Additional information

_No response_
github-actions[bot] commented 1 month ago

Hi there @threat-punter :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

sethvargo commented 1 month ago

Hi @threat-punter - can you attach the debug logs? That will help me see whether the header is actually being set on the appropriate API call. Have you enabled CAL and DAL?

sethvargo commented 1 month ago

Hey @threat-punter - any luck after those various changes?

threat-punter commented 1 month ago

I see X-Goog-Request-Reason is being logged by the GitHub Actions workflow now.

I'm not sure what Data Access audit log setting(s) to enable though so that this is logged in my Google Cloud project. 🤔

sethvargo commented 1 month ago

It should be sts.googleapis.com

threat-punter commented 1 month ago

I'll try and find the appropriate setting(s) and report back here. Cheers

threat-punter commented 1 month ago

I have data access audit logging enabled for the Security Token Service API. I can't find the request reason in my logs. Is it logged for you?

image