search

google-github-actions / get-gke-credentials

A GitHub Action that configure authentication to a GKE cluster.
https://cloud.google.com/gke
Apache License 2.0
105 stars 41 forks source link

Does not work with google-github-actions/auth action (Please merge PR #93!) #140

Closed toga4 closed 2 years ago

toga4 commented 2 years ago

TL;DR

google-github-actions/auth action generates external_account credentials, but currently this action doesn't work with external_account credentials. This behavior would fix after #93 merged because the PR includes a library update that google-auth-library now supports external_account. So please kindly merge it.

Expected behavior Successfully get GKE credentials using the credentials generated by the google-github-actions/auth action.

Observed behavior Failed with error message The incoming JSON object does not contain a client_email field

Reproduction

Action YAML

name: Deploy to GKE

on:
  push:
    branches:
      - main
    paths:
      - kubernetes/**.yaml
      - .github/workflows/gke.yaml

env:
  GCLOUD_PROJECT: *****
  GKE_CLUSTER_NAME: *****
  GKE_CLUSTER_LOCATION: us-central1-c

jobs:
  deploy:
    name: deploy
    runs-on: ubuntu-latest

    # Add "id-token" with the intended permissions.
    permissions:
      contents: "read"
      id-token: "write"

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      # Configure Workload Identity Federation via a credentials file.
      - id: auth
        name: Authenticate to Google Cloud
        uses: google-github-actions/auth@main
        with:
          create_credentials_file: true
          workload_identity_provider: projects/*****/locations/global/workloadIdentityPools/*****/providers/*****
          service_account: github-actions@*****.iam.gserviceaccount.com
          access_token_scopes: |
            https://www.googleapis.com/auth/cloud-platform
            https://www.googleapis.com/auth/userinfo.email

      - name: Authenticate to GKE
        uses: google-github-actions/get-gke-credentials@main
        with:
          cluster_name: ${{ env.GKE_CLUSTER_NAME }}
          location: ${{ env.GKE_CLUSTER_LOCATION }}

      - name: Deploy to GKE
        run: |
          kubectl apply -k ./kubernetes

Additional information As a workaround, get the credentials with gcloud CLI instead of using actions.

      # Configure Workload Identity Federation via a credentials file.
      - id: auth
        name: Authenticate to Google Cloud
        uses: google-github-actions/auth@main
        with:
          create_credentials_file: true
          workload_identity_provider: projects/*****/locations/global/workloadIdentityPools/*****/providers/*****
          service_account: github-actions@*****.iam.gserviceaccount.com
          access_token_scopes: |
            https://www.googleapis.com/auth/cloud-platform
            https://www.googleapis.com/auth/userinfo.email

      - name: Authenticate to GKE
        run: |
          gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
          gcloud container clusters get-credentials $GKE_CLUSTER_NAME --project $GCLOUD_PROJECT --zone $GKE_CLUSTER_LOCATION

      - name: Deploy to GKE
        run: |
          kubectl apply -k ./kubernetes
bharathkkb commented 2 years ago

Thanks for the report! We are in the process of updating all actions to work with auth. I haven't merged the PR due to this.

toga4 commented 2 years ago

Sounds great! I'm looking forward for all actions are updated. Thanks.

toga4 commented 2 years ago

Apparently #93 has been merged and new version released, and now supports auth action. Thank you so much for your work! I'll close this issue.

bharathkkb commented 2 years ago

@toga4 we have also updated the docs in https://github.com/google-github-actions/get-gke-credentials/pull/141 with auth Action & WIF being our recommended approach.