Action fails with Workload Identity Provider on a separate project

[czerasz-mineiros]

TL;DR

Issues using Workload Identity Provider on another project.

Expected behavior

No errors

Observed behavior

Error: google-github-actions/get-gke-credentials failed with: the caller does not have permission

Action YAML

...

on:
  pull_request:
    branches:
      - main

jobs:
  preview-staging-deployment:
    name: Preview Staging Deployment

    permissions:
      contents: read
      id-token: write

    runs-on: ubuntu-20.04
    strategy:
      matrix:
        server-types:
          - one
          - two
          - three

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.sha }}

      - id: auth
        name: Authenticate to GCP
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions/providers/github-actions
          service_account: some-app@project-one.iam.gserviceaccount.com

      # Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v0

      - name: Log gcloud configuration
        run: |-
          gcloud info

      - id: get-gke-credentials
        name: get GKE credentials
        uses: google-github-actions/get-gke-credentials@v0
        with:
          project_id: project-two
          location: <some-region>
          cluster_name: k8s-cluster-name

      ...

Additional information

Tried also with the following workflow:

...

on:
  pull_request:
    branches:
      - main

jobs:
  preview-staging-deployment:
    name: Preview Staging Deployment

    permissions:
      contents: read
      id-token: write

    runs-on: ubuntu-20.04
    strategy:
      matrix:
        server-types:
          - one
          - two
          - three

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.sha }}

      - id: auth
        name: Authenticate to GCP
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions/providers/github-actions
          service_account: some-app@project-one.iam.gserviceaccount.com

      # Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v0

      - name: Log gcloud configuration
        run: |-
          gcloud info

      - id: get-gke-credentials
        name: get GKE credentials
        run: |-
          gcloud --project=project-two container clusters get-credentials "k8s-cluster-name" --region "<some-region>"

      ...

The workflow fails with following error:

Run gcloud --project=project-name container clusters get-credentials "k8s-cluster" --region "${region}"
ERROR: (gcloud.container.clusters.get-credentials) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n  "error": {\n    "code": 403,\n    "message": "The caller does not have permission",\n    "status": "PERMISSION_DENIED"\n  }\n}\n')
Please run:

  $ gcloud auth login

to obtain new credentials.

If you have already logged in with a different account:

    $ gcloud config set account ACCOUNT

to select an already authenticated account to use.

I did this since after impersonation of the some-app@project-one.iam.gserviceaccount.com ServiceAccount locally I was able to successfully generate the ~/.kube/config:

$ gcloud --project=project-two container clusters get-credentials "k8s-cluster-name" --region "<some-region>"
Fetching cluster endpoint and auth data.
kubeconfig entry generated for k8s-cluster-name.

My ServiceAccount seams to have the correct permissions:

$ gcloud projects get-iam-policy project-two | grep 'roles/container.clusterViewer'
...
- members:
  - serviceAccount:some-app@project-one.iam.gserviceaccount.com
  ...
  role: roles/container.clusterViewer

[czerasz-mineiros]

Fixed attribute_condition:

 ~ resource "google_iam_workload_identity_pool_provider" "default" {
      ~ attribute_condition                = "\"my-org\" == assertion.repository_owner" -> "\"my-org\" == attribute.repository_owner"

also removed:

      # Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v0

      - name: Log gcloud configuration
        run: |-
          gcloud info

But still get:

Error: google-github-actions/get-gke-credentials failed with: the caller does not have permission

[sethvargo]

What is the output from the gcloud info command when it runs?

[sethvargo]

I tried to reproduce this issue, and I am unable to do so. I have two projects:

• sv-actions-test - has a service account with clusterViewer on sv-wif-test2, workload identity federation configured to allow auth
• sv-wif-test2 - has a GKE AP cluster named "c" in "us-central1"

I tried both this action and using gcloud, and it succeeded as expected:

name: my-test-workflow

on:
  push:

jobs:
  test:
    runs-on: 'ubuntu-latest'
    # ...

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v2'

    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/416438230019/locations/global/workloadIdentityPools/my-pool/providers/github'
        service_account: 'test-sa@sv-actions-test.iam.gserviceaccount.com'

    # Action
    - uses: 'google-github-actions/get-gke-credentials@v0'
      with:
        project_id: 'sv-wif-test2'
        location: 'us-central1'
        cluster_name: 'c'

    # Gcloud
    - uses: 'google-github-actions/setup-gcloud@v0'

    - run: |-
        gcloud container clusters get-credentials "c" --project=sv-wif-test2 --region "us-central1"

Logs

```text 2022-01-20T21:51:18.1605717Z Waiting for a runner to pick up this job... 2022-01-20T21:51:18.7795857Z Job is waiting for a hosted runner to come online. 2022-01-20T21:51:21.8935528Z Job is about to start running on the hosted runner: Hosted Agent (hosted) 2022-01-20T21:51:25.2931201Z Current runner version: '2.286.0' 2022-01-20T21:51:25.2961098Z ##[group]Operating System 2022-01-20T21:51:25.2961559Z Ubuntu 2022-01-20T21:51:25.2961807Z 20.04.3 2022-01-20T21:51:25.2962009Z LTS 2022-01-20T21:51:25.2962433Z ##[endgroup] 2022-01-20T21:51:25.2962694Z ##[group]Virtual Environment 2022-01-20T21:51:25.2963029Z Environment: ubuntu-20.04 2022-01-20T21:51:25.2963289Z Version: 20220111.1 2022-01-20T21:51:25.2963767Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220111.1/images/linux/Ubuntu2004-Readme.md 2022-01-20T21:51:25.2964412Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220111.1 2022-01-20T21:51:25.2964786Z ##[endgroup] 2022-01-20T21:51:25.2965096Z ##[group]Virtual Environment Provisioner 2022-01-20T21:51:25.2965386Z 1.0.0.0-main-20211214-1 2022-01-20T21:51:25.2965677Z ##[endgroup] 2022-01-20T21:51:25.2966239Z ##[group]GITHUB_TOKEN Permissions 2022-01-20T21:51:25.2966945Z Contents: read 2022-01-20T21:51:25.2967383Z Metadata: read 2022-01-20T21:51:25.2967721Z ##[endgroup] 2022-01-20T21:51:25.2971343Z Secret source: Actions 2022-01-20T21:51:25.2971720Z Prepare workflow directory 2022-01-20T21:51:25.3835436Z Prepare all required actions 2022-01-20T21:51:25.4020052Z Getting action download info 2022-01-20T21:51:25.6300796Z Download action repository 'actions/checkout@v2' (SHA:ec3a7ce113134d7a93b817d10a8272cb61118579) 2022-01-20T21:51:26.4270936Z Download action repository 'google-github-actions/auth@v0' (SHA:c6c22902f6af237edb96ede5f25a00e864589b2f) 2022-01-20T21:51:26.9160616Z Download action repository 'google-github-actions/get-gke-credentials@v0' (SHA:d9baee1cc8762087dd6cc39c9262cf34118f10a5) 2022-01-20T21:51:27.4904011Z Download action repository 'google-github-actions/setup-gcloud@v0' (SHA:a45a0825993ace67ae6e11cf3011b3e7d6795f82) 2022-01-20T21:51:28.1674318Z ##[group]Run actions/checkout@v2 2022-01-20T21:51:28.1674580Z with: 2022-01-20T21:51:28.1674837Z repository: sethvargo-demos/ghactions-test 2022-01-20T21:51:28.1675348Z token: *** 2022-01-20T21:51:28.1675537Z ssh-strict: true 2022-01-20T21:51:28.1675745Z persist-credentials: true 2022-01-20T21:51:28.1675933Z clean: true 2022-01-20T21:51:28.1676104Z fetch-depth: 1 2022-01-20T21:51:28.1676270Z lfs: false 2022-01-20T21:51:28.1676459Z submodules: false 2022-01-20T21:51:28.1676640Z ##[endgroup] 2022-01-20T21:51:28.4151207Z Syncing repository: sethvargo-demos/ghactions-test 2022-01-20T21:51:28.4152891Z ##[group]Getting Git version info 2022-01-20T21:51:28.4153384Z Working directory is '/home/runner/work/ghactions-test/ghactions-test' 2022-01-20T21:51:28.4154633Z [command]/usr/bin/git version 2022-01-20T21:51:28.4259054Z git version 2.34.1 2022-01-20T21:51:28.4277817Z ##[endgroup] 2022-01-20T21:51:28.4284605Z Deleting the contents of '/home/runner/work/ghactions-test/ghactions-test' 2022-01-20T21:51:28.4289048Z ##[group]Initializing the repository 2022-01-20T21:51:28.4292839Z [command]/usr/bin/git init /home/runner/work/ghactions-test/ghactions-test 2022-01-20T21:51:28.4363102Z hint: Using 'master' as the name for the initial branch. This default branch name 2022-01-20T21:51:28.4363709Z hint: is subject to change. To configure the initial branch name to use in all 2022-01-20T21:51:28.4364732Z hint: of your new repositories, which will suppress this warning, call: 2022-01-20T21:51:28.4366044Z hint: 2022-01-20T21:51:28.4375464Z hint: git config --global init.defaultBranch 2022-01-20T21:51:28.4375812Z hint: 2022-01-20T21:51:28.4376698Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and 2022-01-20T21:51:28.4377243Z hint: 'development'. The just-created branch can be renamed via this command: 2022-01-20T21:51:28.4377581Z hint: 2022-01-20T21:51:28.4378220Z hint: git branch -m 2022-01-20T21:51:28.4385988Z Initialized empty Git repository in /home/runner/work/ghactions-test/ghactions-test/.git/ 2022-01-20T21:51:28.4395882Z [command]/usr/bin/git remote add origin https://github.com/sethvargo-demos/ghactions-test 2022-01-20T21:51:28.4438006Z ##[endgroup] 2022-01-20T21:51:28.4438747Z ##[group]Disabling automatic garbage collection 2022-01-20T21:51:28.4442664Z [command]/usr/bin/git config --local gc.auto 0 2022-01-20T21:51:28.4473152Z ##[endgroup] 2022-01-20T21:51:28.4492007Z ##[group]Setting up auth 2022-01-20T21:51:28.4492987Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 2022-01-20T21:51:28.4515493Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || : 2022-01-20T21:51:28.4842974Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader 2022-01-20T21:51:28.4896776Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || : 2022-01-20T21:51:28.5118347Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic *** 2022-01-20T21:51:28.5150458Z ##[endgroup] 2022-01-20T21:51:28.5151180Z ##[group]Fetching the repository 2022-01-20T21:51:28.5158965Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +1160efe6829bcdbccef73e437ebbfff853caea58:refs/remotes/origin/main 2022-01-20T21:51:28.9178181Z remote: Enumerating objects: 6, done. 2022-01-20T21:51:28.9186239Z remote: Counting objects: 16% (1/6) 2022-01-20T21:51:28.9187054Z remote: Counting objects: 33% (2/6) 2022-01-20T21:51:28.9187530Z remote: Counting objects: 50% (3/6) 2022-01-20T21:51:28.9188147Z remote: Counting objects: 66% (4/6) 2022-01-20T21:51:28.9188538Z remote: Counting objects: 83% (5/6) 2022-01-20T21:51:28.9189363Z remote: Counting objects: 100% (6/6) 2022-01-20T21:51:28.9189779Z remote: Counting objects: 100% (6/6), done. 2022-01-20T21:51:28.9190400Z remote: Compressing objects: 33% (1/3) 2022-01-20T21:51:28.9190815Z remote: Compressing objects: 66% (2/3) 2022-01-20T21:51:28.9191394Z remote: Compressing objects: 100% (3/3) 2022-01-20T21:51:28.9191810Z remote: Compressing objects: 100% (3/3), done. 2022-01-20T21:51:28.9192756Z remote: Total 6 (delta 0), reused 6 (delta 0), pack-reused 0 2022-01-20T21:51:28.9402810Z From https://github.com/sethvargo-demos/ghactions-test 2022-01-20T21:51:28.9403542Z * [new ref] 1160efe6829bcdbccef73e437ebbfff853caea58 -> origin/main 2022-01-20T21:51:28.9428686Z ##[endgroup] 2022-01-20T21:51:28.9429386Z ##[group]Determining the checkout info 2022-01-20T21:51:28.9430815Z ##[endgroup] 2022-01-20T21:51:28.9431348Z ##[group]Checking out the ref 2022-01-20T21:51:28.9435521Z [command]/usr/bin/git checkout --progress --force -B main refs/remotes/origin/main 2022-01-20T21:51:28.9480542Z Switched to a new branch 'main' 2022-01-20T21:51:28.9484508Z Branch 'main' set up to track remote branch 'main' from 'origin'. 2022-01-20T21:51:28.9487885Z ##[endgroup] 2022-01-20T21:51:28.9527328Z [command]/usr/bin/git log -1 --format='%H' 2022-01-20T21:51:28.9553979Z '1160efe6829bcdbccef73e437ebbfff853caea58' 2022-01-20T21:51:28.9745986Z ##[group]Run google-github-actions/auth@v0 2022-01-20T21:51:28.9746225Z with: 2022-01-20T21:51:28.9746538Z workload_identity_provider: projects/416438230019/locations/global/workloadIdentityPools/my-pool/providers/github 2022-01-20T21:51:28.9746936Z service_account: test-sa@sv-actions-test.iam.gserviceaccount.com 2022-01-20T21:51:28.9747225Z create_credentials_file: true 2022-01-20T21:51:28.9747429Z cleanup_credentials: true 2022-01-20T21:51:28.9747645Z access_token_lifetime: 3600s 2022-01-20T21:51:28.9747943Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform 2022-01-20T21:51:28.9748213Z id_token_include_email: false 2022-01-20T21:51:28.9748404Z ##[endgroup] 2022-01-20T21:51:29.2421025Z Created credentials file at "/home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a" 2022-01-20T21:51:29.2424305Z 2022-01-20T21:51:29.2451011Z 2022-01-20T21:51:29.2525805Z ##[group]Run google-github-actions/get-gke-credentials@v0 2022-01-20T21:51:29.2526061Z with: 2022-01-20T21:51:29.2526240Z project_id: sv-wif-test2 2022-01-20T21:51:29.2526622Z location: us-central1 2022-01-20T21:51:29.2526819Z cluster_name: c 2022-01-20T21:51:29.2527004Z use_auth_provider: false 2022-01-20T21:51:29.2527210Z use_internal_ip: false 2022-01-20T21:51:29.2527389Z env: 2022-01-20T21:51:29.2527712Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:29.2528158Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:29.2528559Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:29.2528857Z CLOUDSDK_PROJECT: sv-actions-test 2022-01-20T21:51:29.2529104Z CLOUDSDK_CORE_PROJECT: sv-actions-test 2022-01-20T21:51:29.2529327Z GCP_PROJECT: sv-actions-test 2022-01-20T21:51:29.2529567Z GCLOUD_PROJECT: sv-actions-test 2022-01-20T21:51:29.2529797Z GOOGLE_CLOUD_PROJECT: sv-actions-test 2022-01-20T21:51:29.2529992Z ##[endgroup] 2022-01-20T21:51:30.0346027Z Successfully created and exported "KUBECONFIG" at /home/runner/work/ghactions-test/ghactions-test/3b177e0c7d2d0198e0e15dff 2022-01-20T21:51:30.0416184Z ##[group]Run google-github-actions/setup-gcloud@v0 2022-01-20T21:51:30.0416419Z with: 2022-01-20T21:51:30.0416595Z version: latest 2022-01-20T21:51:30.0416811Z export_default_credentials: false 2022-01-20T21:51:30.0417034Z cleanup_credentials: true 2022-01-20T21:51:30.0417221Z env: 2022-01-20T21:51:30.0417531Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:30.0417964Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:30.0418376Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:30.0418693Z CLOUDSDK_PROJECT: sv-actions-test 2022-01-20T21:51:30.0418935Z CLOUDSDK_CORE_PROJECT: sv-actions-test 2022-01-20T21:51:30.0419165Z GCP_PROJECT: sv-actions-test 2022-01-20T21:51:30.0419393Z GCLOUD_PROJECT: sv-actions-test 2022-01-20T21:51:30.0419648Z GOOGLE_CLOUD_PROJECT: sv-actions-test 2022-01-20T21:51:30.0419961Z KUBECONFIG: /home/runner/work/ghactions-test/ghactions-test/3b177e0c7d2d0198e0e15dff 2022-01-20T21:51:30.0420216Z ##[endgroup] 2022-01-20T21:51:31.1757536Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/fa6eff63-0009-4e07-800d-f1f4cd2fd818 -f /home/runner/work/_temp/58f5052f-024b-4a65-b7a6-3694b9a2459f 2022-01-20T21:51:41.5281274Z ##[group]Run gcloud container clusters get-credentials "c" --project=sv-wif-test2 --region "us-central1" 2022-01-20T21:51:41.5281798Z gcloud container clusters get-credentials "c" --project=sv-wif-test2 --region "us-central1" 2022-01-20T21:51:41.5334210Z shell: /usr/bin/bash -e {0} 2022-01-20T21:51:41.5334412Z env: 2022-01-20T21:51:41.5334742Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:41.5335180Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:41.5335583Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:41.5335894Z CLOUDSDK_PROJECT: sv-actions-test 2022-01-20T21:51:41.5336140Z CLOUDSDK_CORE_PROJECT: sv-actions-test 2022-01-20T21:51:41.5336359Z GCP_PROJECT: sv-actions-test 2022-01-20T21:51:41.5336579Z GCLOUD_PROJECT: sv-actions-test 2022-01-20T21:51:41.5336832Z GOOGLE_CLOUD_PROJECT: sv-actions-test 2022-01-20T21:51:41.5337135Z KUBECONFIG: /home/runner/work/ghactions-test/ghactions-test/3b177e0c7d2d0198e0e15dff 2022-01-20T21:51:41.5337642Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud 2022-01-20T21:51:41.5337891Z ##[endgroup] 2022-01-20T21:51:42.3937208Z Fetching cluster endpoint and auth data. 2022-01-20T21:51:42.6430290Z kubeconfig entry generated for c. 2022-01-20T21:51:42.7219316Z Post job cleanup. 2022-01-20T21:51:42.7623550Z Removed exported credentials at /home/runner/work/ghactions-test/ghactions-test/7706ee53e8daffc9ca34176a 2022-01-20T21:51:42.7689748Z Post job cleanup. 2022-01-20T21:51:42.8243844Z No exported credentials found 2022-01-20T21:51:42.8306495Z Post job cleanup. 2022-01-20T21:51:42.9564204Z [command]/usr/bin/git version 2022-01-20T21:51:42.9609212Z git version 2.34.1 2022-01-20T21:51:42.9641674Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 2022-01-20T21:51:42.9675561Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || : 2022-01-20T21:51:42.9911599Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader 2022-01-20T21:51:42.9930915Z http.https://github.com/.extraheader 2022-01-20T21:51:42.9946780Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader 2022-01-20T21:51:42.9987875Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || : 2022-01-20T21:51:43.0413466Z Cleaning up orphan processes ```

Thus I'm fairly convinced this is some configuration issue. However, WIF issues tend to be very difficult to debug, so any additional information you could provide would be helpful.

[j0hnsmith]

I've been debugging WIF issues, familiar with this error but there can be many causes. My 2c (could be very wide of the mark).

Guessing that gcloud iam service-accounts get-iam-policy some-app@project-one.iam.gserviceaccount.com --project {project 2} needs to show as below, if not, make it so and try again.

$ gcloud iam service-accounts get-iam-policy some-app@project-one.iam.gserviceaccount.com --project {project 2}

bindings:
- members:
  - principalSet://iam.googleapis.com/projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions
  role: roles/iam.serviceAccountTokenCreator
- members:
  - principalSet://iam.googleapis.com/projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions
  role: roles/iam.workloadIdentityUser
- members:
  - principalSet://iam.googleapis.com/projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions
  role: roles/iam.serviceAccountUser # this one may not be required

[sethvargo]

@j0hnsmith you shouldn't need serviceAccountTokenCreator or serviceAccountUser. If you're having problems, please open a new issue and complete the issue template so we can try to get a reproduction.

[j0hnsmith]

Mine was different but fixed, sorry for the interuption.

[czerasz-mineiros]

What is the output from the gcloud info command when it runs?

Google Cloud SDK [369.0.0]

Platform: [Linux, x86_64] uname_result(system='Linux', node='fv-az278-37', release='5.11.0-1025-azure', version='#27~20.04.1-Ubuntu SMP Fri Jan 7 15:02:06 UTC 2022', machine='x86_64', processor='x86_64')
Locale: ('en_US', 'UTF-8')
Python Version: [3.8.10 (default, Nov 26 2021, 20:14:08)  [GCC 9.3.0]]
Python Location: [/usr/bin/python3]
OpenSSL: [OpenSSL 1.1.1f  31 Mar 2020]
Requests Version: [2.22.0]
urllib3 Version: [1.25.9]
Site Packages: [Disabled]

Installation Root: [/opt/hostedtoolcache/gcloud/369.0.0/x64]
Installed Components:
  bq: [2.0.72]
  gsutil: [5.6]
  core: [2022.01.14]
System PATH: [/opt/hostedtoolcache/gcloud/369.0.0/x64/bin:/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin]
Python PATH: [/opt/hostedtoolcache/gcloud/369.0.0/x64/lib/third_party:/opt/hostedtoolcache/gcloud/369.0.0/x64/lib:/usr/lib/python38.zip:/usr/lib/python3.8:/usr/lib/python3.8/lib-dynload]
Cloud SDK on PATH: [True]
Kubectl on PATH: [/usr/local/bin/kubectl]

WARNING: There are other instances of the Google Cloud Platform tools on your system PATH.
  /usr/lib/google-cloud-sdk/bin/gcloud
  /usr/lib/google-cloud-sdk/bin/anthoscli
  /usr/lib/google-cloud-sdk/bin/git-credential-gcloud.sh
  /usr/lib/google-cloud-sdk/bin/gsutil
  /usr/lib/google-cloud-sdk/bin/docker-credential-gcloud
  /usr/lib/google-cloud-sdk/bin/bq

Installation Properties: [/opt/hostedtoolcache/gcloud/369.0.0/x64/properties]
User Config Directory: [/home/runner/.config/gcloud]
Active Configuration Name: [default]
Active Configuration Path: [/home/runner/.config/gcloud/configurations/config_default]

Account: [some-app@project-one.iam.gserviceaccount.com]
Project: [project-one]

Current Properties:
  [auth]
    credential_file_override: [/home/runner/work/some_app/some_app/XXXXXXXXXXXXXXXXXXXXXXXX]
  [core]
    account: [some-app@project-one.iam.gserviceaccount.com]
    disable_usage_reporting: [True]
    project: [project-one]
  [metrics]
    environment: [github-actions-setup-gcloud]

Logs Directory: [/home/runner/.config/gcloud/logs]
Last Log File: [/home/runner/.config/gcloud/logs/2022.01.20/11.12.01.461872.log]

git: [git version 2.34.1]
ssh: [OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f  31 Mar 2020]

[sethvargo]

Thank you @czerasz-mineiros. That output tells me that gcloud is successfully authenticated as some-app@project-one.iam.gserviceaccount.com, which is the intended service account, right?

Is the gcloud ... get-credentials still failing even when the account is clearly set to some-app@project-one.iam.gserviceaccount.com? If so, that points to an IAM issue. Please make sure some-app@project-one.iam.gserviceaccount.com has clusterViewer or greater permissions on the target cluster. You should also ensure you don't have an organizational policies that prohibit cross-project authorization or enforce domain restricted sharing.

[czerasz-mineiros]

@sethvargo thanks a lot for the amazing support and feedback!

I had to take some distance from this... After two weeks I came back and spotted a typo in the IAM policy binding. I misspelled the repository name - instead of my_repo_name I used my-repo-name.

After adjusting it everything works fine.

One more time thx a lot for Your help and the great work You put into this project!