search

google-github-actions / get-gke-credentials

A GitHub Action that configure authentication to a GKE cluster.
https://cloud.google.com/gke
Apache License 2.0
100 stars 41 forks source link

Action not respecting auth/impersonate_service_account #299

Closed halradaideh closed 4 months ago

halradaideh commented 4 months ago

TL;DR

this action doesn't respect SA impersonation made through gcloud config set auth/impersonate_service_account

Expected behavior

No response

Observed behavior

No response

Action YAML

# - name: Get GKE credentials
      #   uses: 'google-github-actions/get-gke-credentials@v2.1.0'
      #   with:
      #     project_id: "x"
      #     cluster_name: 'y'
      #     location: 'z'

Log output

No response

Additional information

No response

sethvargo commented 4 months ago

This action does not use gcloud, so it would not respect that setting.

halradaideh commented 4 months ago

make sense 😄 can we at least make the action accept access token similar to https://github.com/docker/login-action?tab=readme-ov-file#workload-identity-federation-1

I can obtain the access token using GKE metadata server

sethvargo commented 4 months ago

Hi @halradaideh based on your other issue, I think there may be a misunderstanding about Service Account Impersonation. That being said, if you have an access token, this action is largely unnecessary. It's just writing a KUBECONFIG file to disk; you can do that yourself in a few lines of YAML: https://github.com/google-github-actions/get-gke-credentials/blob/209853c111c085f95a9a15e848e18044fac29fbc/src/gkeClient.ts#L326-L369

halradaideh commented 4 months ago

got it, I found the file and swapped the accessToken thus understanding that it only writes the file in the proper place with access token obtained form the auth action

          file=$(find * | grep gha-kubeconfig)
          DATA=$(cat /tmp/token.json | jq .accessToken)
          sed -i "s/token: .*/token: $DATA/g" $file