Error authenticating the Cloud SDK when using Workload Identity Federation

kkr16 commented 2 years ago

TL;DR

I'm trying to use Workload Identity Federation, I'm using it as described in issue https://github.com/google-github-actions/deploy-cloudrun/issues/248#issuecomment-979698204 but still get Error: Error authenticating the Cloud SDK. when running the workflow.

I believe my auth setup is correct, because I'm able to build my image and push it to GCR using the same auth steps.

Expected behavior

google-github-actions/deploy-cloudrun should be able to deploy to Cloud Run using Workload Identity Federation

Observed behavior

google-github-actions/deploy-cloudrun fails the deployment to Cloud Run with an authentication error: Error: Error authenticating the Cloud SDK.

Action YAML

name: test_cr

on:
  push:
    branches:
    - '*'
  pull_request:
    branches: [ main ]

jobs:
  deploycr:
   runs-on: 'ubuntu-latest'
   permissions:
      contents: 'read'
      id-token: 'write'
   steps:
    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v0.4.0'
      with:
        workload_identity_provider: '...'
        service_account: '...'
    - name: Deploy to Cloud Run
      id: deploy
      uses: google-github-actions/deploy-cloudrun@main
      with:
        service: hello-cloud-run 
        image: gcr.io/cloudrun/hello

Log output

No response

Additional information

No response

kkr16 commented 2 years ago

I'm able to deploy using gcloud run within the same workflow using below syntax, which IMO, eliminates Service Account permissions issues or Identify Federation issues.

      run: |-
        gcloud run deploy test-cr --image=gcr.io/cloudrun/hello:latest --region=us-central1

sethvargo commented 2 years ago

Hi @kkr16

Thank you for opening an issue.

We recommend pinning auth to @v0 unless you need to pin to a specific version. I don't think that is the issue here, but it's a best practice we're trying to advocate.
It would be helpful if you could verify the auth step is working as intended. The easiest way to do this would be to add the token_format: 'access_token' property to the auth YAML:
```
uses: 'google-github-actions/auth@v0'
with:
  // existing values
  token_format: 'access_token'
```

sethvargo commented 2 years ago

Oh actually, I see it now. Can you add actions/checkout@v2 as the first step?

kkr16 commented 2 years ago

Thank you for your quick response Seth! :)

We recommend pinning auth to @v0 unless you need to pin to a specific version. I don't think that is the issue here, but it's a best practice we're trying to advocate.

I tried pinning v0 then set it back to main to mimic the example https://github.com/google-github-actions/deploy-cloudrun/issues/248#issuecomment-979698204 - either way doesn't work.

It would be helpful if you could verify the auth step is working as intended. The easiest way to do this would be to add the token_format: 'access_token' property to the auth YAML

Did that - the auth step passes without issues.

Can you add actions/checkout@v2 as the first step?

Just tried it - no changes.

kkr16 commented 2 years ago

Issue is fixed - I had to pin to v0 AND put actions/checkout@v2 as the first step - I had tested the changes independently of each other. Can confirm that the below works great:

jobs:
  deploycr:
   runs-on: 'ubuntu-latest'
   permissions:
      contents: 'read'
      id-token: 'write'
   steps:
    - uses: actions/checkout@v2
    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: '...'
        service_account: '...'
    - name: Deploy to Cloud Run
      id: deploy
      uses: google-github-actions/deploy-cloudrun@v0
      with:
        service: hello-cloud-run 
        image: gcr.io/cloudrun/hello

Thanks @sethvargo !

google-github-actions / deploy-cloudrun