Closed mowies closed 1 year ago
Hi @mowies
Thank you for opening an issue. I see there's some confusion about the auth
action. I've opened https://github.com/google-github-actions/auth/pull/204 to clarify that the "accesstoken" and "idtoken" fields only apply to access tokens and ID tokens generated by the auth
action; they do not extend to future actions.
Can you try setting use_auth_provider: true
in your get-gke-credentials
YAML instead? I believe that will handle token refreshes automatically.
@sethvargo
Since my previous setup didn't work, I reverted back to using use_auth_provier: true
and that does work, but then I get warnings like this:
W0706 03:25:14.141926 1916 gcp.go:120] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
And that's exactly what I wanted to prevent in the first place.
@bharathkkb thoughts?
@sethvargo @bharathkkb any updates on this?
Hi @mowies - sorry for the delay. Extending the token lifetime would require switching from the standard oauth2 endpoints to the iamcredentials endpoints. That is an easy fix, but doing so would require users to grant additional IAM roles such as ServiceAccountTokenCreator
to their service account. The default token extension is not available from the standard oauth2 access points.
In addition to the permissions, the iamcredentials endpoint requires us to know the email address of the authenticated service account, which may not always be known. This is actually one of the reasons that the "auth" action requires a service_account_email input.
There's two options here:
TL;DR
I am using
google-github-actions/auth
with the following settings:After that, I use the
get-gke-credentials
action to get my kubeconfig. I assumed that I can use that kubeconfig for the above set7200s
(2h) but instead, my pipeline still fails exactly after (the default) 1h with unauthorized errors.Expected behavior
I can use my kube config for 2h, since I set my token in the auth action to be valid for 2h.
Observed behavior
My pipeline starts failing with unauthorized errors exactly after 1h. I checked the debug logs of my pipeline and the access token is indeed showing an expiration time of 2h. So I assume that the
get-gke-credentials
action uses a different token somehow?Action YAML
Log output
Additional information
No response