Workload identity provider lives in a different project than the GKE cluster I want to access from a GitHub workflow. get-gke-credentials tries to access the GKE cluster in the project of the workload identity provider. Service account also lives in the workload identity provider project.
Expected behavior
project_id should be correctly picked up and overwrite any other projects (e.g. service account project)
Observed behavior
project_id is not respected. It seems that always the project ID of the service account is used
Error: google-github-actions/get-gke-credentials failed with: kubernetes Engine API has not been used in project NUMBER-OF-PROJECT-TWO before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=NUMBER-OF-PROJECT-TWO then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
Additional information
Project one owns the cluster.
Project two owns the service account to access the cluster and also the workload identity provider.
The service account in project two has roles/container.developer access in project one.
No matter which environment variable I overwrite, the logs always show that get-gek-credentials is trying to fetch credentials from project two. I tried all of the environment variables mentioned here: https://github.com/google-github-actions/auth#usage => export_environment_variables.
TL;DR
Workload identity provider lives in a different project than the GKE cluster I want to access from a GitHub workflow.
get-gke-credentials
tries to access the GKE cluster in the project of the workload identity provider. Service account also lives in the workload identity provider project.Expected behavior
project_id
should be correctly picked up and overwrite any other projects (e.g. service account project)Observed behavior
project_id
is not respected. It seems that always the project ID of the service account is usedAction YAML
Log output
Additional information
Project one owns the cluster. Project two owns the service account to access the cluster and also the workload identity provider.
The service account in project two has
roles/container.developer
access in project one.No matter which environment variable I overwrite, the logs always show that
get-gek-credentials
is trying to fetch credentials from project two. I tried all of the environment variables mentioned here: https://github.com/google-github-actions/auth#usage =>export_environment_variables
.