Closed kkr16 closed 2 years ago
I'm able to deploy using gcloud run
within the same workflow using below syntax, which IMO, eliminates Service Account permissions issues or Identify Federation issues.
run: |-
gcloud run deploy test-cr --image=gcr.io/cloudrun/hello:latest --region=us-central1
Hi @kkr16
Thank you for opening an issue.
We recommend pinning auth
to @v0
unless you need to pin to a specific version. I don't think that is the issue here, but it's a best practice we're trying to advocate.
It would be helpful if you could verify the auth
step is working as intended. The easiest way to do this would be to add the token_format: 'access_token'
property to the auth
YAML:
uses: 'google-github-actions/auth@v0'
with:
// existing values
token_format: 'access_token'
Oh actually, I see it now. Can you add actions/checkout@v2
as the first step?
Thank you for your quick response Seth! :)
- We recommend pinning
auth
to@v0
unless you need to pin to a specific version. I don't think that is the issue here, but it's a best practice we're trying to advocate.
I tried pinning v0
then set it back to main
to mimic the example https://github.com/google-github-actions/deploy-cloudrun/issues/248#issuecomment-979698204 - either way doesn't work.
- It would be helpful if you could verify the
auth
step is working as intended. The easiest way to do this would be to add thetoken_format: 'access_token'
property to theauth
YAML
Did that - the auth step passes without issues.
Can you add actions/checkout@v2 as the first step?
Just tried it - no changes.
Issue is fixed - I had to pin to v0 AND put actions/checkout@v2 as the first step - I had tested the changes independently of each other. Can confirm that the below works great:
jobs:
deploycr:
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v2
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: '...'
service_account: '...'
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: hello-cloud-run
image: gcr.io/cloudrun/hello
Thanks @sethvargo !
TL;DR
I'm trying to use Workload Identity Federation, I'm using it as described in issue https://github.com/google-github-actions/deploy-cloudrun/issues/248#issuecomment-979698204 but still get
Error: Error authenticating the Cloud SDK.
when running the workflow.I believe my auth setup is correct, because I'm able to build my image and push it to GCR using the same auth steps.
Expected behavior
google-github-actions/deploy-cloudrun should be able to deploy to Cloud Run using Workload Identity Federation
Observed behavior
google-github-actions/deploy-cloudrun fails the deployment to Cloud Run with an authentication error:
Error: Error authenticating the Cloud SDK.
Action YAML
Log output
No response
Additional information
No response