Closed czerasz-mineiros closed 2 years ago
Fixed attribute_condition
:
~ resource "google_iam_workload_identity_pool_provider" "default" {
~ attribute_condition = "\"my-org\" == assertion.repository_owner" -> "\"my-org\" == attribute.repository_owner"
also removed:
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v0
- name: Log gcloud configuration
run: |-
gcloud info
But still get:
Error: google-github-actions/get-gke-credentials failed with: the caller does not have permission
What is the output from the gcloud info
command when it runs?
I tried to reproduce this issue, and I am unable to do so. I have two projects:
sv-actions-test
- has a service account with clusterViewer on sv-wif-test2
, workload identity federation configured to allow authsv-wif-test2
- has a GKE AP cluster named "c" in "us-central1"I tried both this action and using gcloud, and it succeeded as expected:
name: my-test-workflow
on:
push:
jobs:
test:
runs-on: 'ubuntu-latest'
# ...
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: 'actions/checkout@v2'
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/416438230019/locations/global/workloadIdentityPools/my-pool/providers/github'
service_account: 'test-sa@sv-actions-test.iam.gserviceaccount.com'
# Action
- uses: 'google-github-actions/get-gke-credentials@v0'
with:
project_id: 'sv-wif-test2'
location: 'us-central1'
cluster_name: 'c'
# Gcloud
- uses: 'google-github-actions/setup-gcloud@v0'
- run: |-
gcloud container clusters get-credentials "c" --project=sv-wif-test2 --region "us-central1"
Thus I'm fairly convinced this is some configuration issue. However, WIF issues tend to be very difficult to debug, so any additional information you could provide would be helpful.
I've been debugging WIF issues, familiar with this error but there can be many causes. My 2c (could be very wide of the mark).
Guessing that gcloud iam service-accounts get-iam-policy some-app@project-one.iam.gserviceaccount.com --project {project 2}
needs to show as below, if not, make it so and try again.
$ gcloud iam service-accounts get-iam-policy some-app@project-one.iam.gserviceaccount.com --project {project 2}
bindings:
- members:
- principalSet://iam.googleapis.com/projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions
role: roles/iam.serviceAccountTokenCreator
- members:
- principalSet://iam.googleapis.com/projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions
role: roles/iam.workloadIdentityUser
- members:
- principalSet://iam.googleapis.com/projects/<project-one ID>/locations/global/workloadIdentityPools/github-actions
role: roles/iam.serviceAccountUser # this one may not be required
@j0hnsmith you shouldn't need serviceAccountTokenCreator
or serviceAccountUser
. If you're having problems, please open a new issue and complete the issue template so we can try to get a reproduction.
Mine was different but fixed, sorry for the interuption.
What is the output from the
gcloud info
command when it runs?
Google Cloud SDK [369.0.0]
Platform: [Linux, x86_64] uname_result(system='Linux', node='fv-az278-37', release='5.11.0-1025-azure', version='#27~20.04.1-Ubuntu SMP Fri Jan 7 15:02:06 UTC 2022', machine='x86_64', processor='x86_64')
Locale: ('en_US', 'UTF-8')
Python Version: [3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]]
Python Location: [/usr/bin/python3]
OpenSSL: [OpenSSL 1.1.1f 31 Mar 2020]
Requests Version: [2.22.0]
urllib3 Version: [1.25.9]
Site Packages: [Disabled]
Installation Root: [/opt/hostedtoolcache/gcloud/369.0.0/x64]
Installed Components:
bq: [2.0.72]
gsutil: [5.6]
core: [2022.01.14]
System PATH: [/opt/hostedtoolcache/gcloud/369.0.0/x64/bin:/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin]
Python PATH: [/opt/hostedtoolcache/gcloud/369.0.0/x64/lib/third_party:/opt/hostedtoolcache/gcloud/369.0.0/x64/lib:/usr/lib/python38.zip:/usr/lib/python3.8:/usr/lib/python3.8/lib-dynload]
Cloud SDK on PATH: [True]
Kubectl on PATH: [/usr/local/bin/kubectl]
WARNING: There are other instances of the Google Cloud Platform tools on your system PATH.
/usr/lib/google-cloud-sdk/bin/gcloud
/usr/lib/google-cloud-sdk/bin/anthoscli
/usr/lib/google-cloud-sdk/bin/git-credential-gcloud.sh
/usr/lib/google-cloud-sdk/bin/gsutil
/usr/lib/google-cloud-sdk/bin/docker-credential-gcloud
/usr/lib/google-cloud-sdk/bin/bq
Installation Properties: [/opt/hostedtoolcache/gcloud/369.0.0/x64/properties]
User Config Directory: [/home/runner/.config/gcloud]
Active Configuration Name: [default]
Active Configuration Path: [/home/runner/.config/gcloud/configurations/config_default]
Account: [some-app@project-one.iam.gserviceaccount.com]
Project: [project-one]
Current Properties:
[auth]
credential_file_override: [/home/runner/work/some_app/some_app/XXXXXXXXXXXXXXXXXXXXXXXX]
[core]
account: [some-app@project-one.iam.gserviceaccount.com]
disable_usage_reporting: [True]
project: [project-one]
[metrics]
environment: [github-actions-setup-gcloud]
Logs Directory: [/home/runner/.config/gcloud/logs]
Last Log File: [/home/runner/.config/gcloud/logs/2022.01.20/11.12.01.461872.log]
git: [git version 2.34.1]
ssh: [OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020]
Thank you @czerasz-mineiros. That output tells me that gcloud is successfully authenticated as some-app@project-one.iam.gserviceaccount.com
, which is the intended service account, right?
Is the gcloud ... get-credentials
still failing even when the account is clearly set to some-app@project-one.iam.gserviceaccount.com
? If so, that points to an IAM issue. Please make sure some-app@project-one.iam.gserviceaccount.com
has clusterViewer or greater permissions on the target cluster. You should also ensure you don't have an organizational policies that prohibit cross-project authorization or enforce domain restricted sharing.
@sethvargo thanks a lot for the amazing support and feedback!
I had to take some distance from this... After two weeks I came back and spotted a typo in the IAM policy binding. I misspelled the repository name - instead of my_repo_name
I used my-repo-name
.
After adjusting it everything works fine.
One more time thx a lot for Your help and the great work You put into this project!
TL;DR
Issues using Workload Identity Provider on another project.
Expected behavior
No errors
Observed behavior
Action YAML
Additional information
Tried also with the following workflow:
The workflow fails with following error:
I did this since after impersonation of the
some-app@project-one.iam.gserviceaccount.com
ServiceAccount locally I was able to successfully generate the~/.kube/config
:My ServiceAccount seams to have the correct permissions: