Open utterances-bot opened 2 years ago
Hello, very good job :+1 is it possible to deploy 2nd gen?
Hey Leandro! Great read, super easy to follow, thanks! I do have a problem though that maybe you've encountered as well. All steps run without problems up until the deployment. There, I get an error
Extracted project ID 'ordinal-chess-357711' from $GCLOUD_PROJECT Created zip file from './' at '/tmp/cfsrc-052811ef323d6add3eb70d33.zip' Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
I followed all the steps where permissions are granted to the service account but still this. Have you perhaps encountered this before?
Thanks again for the great guide!
Hello, very good job :+1 is it possible to deploy 2nd gen?
@moonston Not with this setup at the moment, but it's being tracked here for future implementation.
Hey Leandro! Great read, super easy to follow, thanks! I do have a problem though that maybe you've encountered as well. All steps run without problems up until the deployment. There, I get an error
Extracted project ID 'ordinal-chess-357711' from $GCLOUD_PROJECT Created zip file from './' at '/tmp/cfsrc-052811ef323d6add3eb70d33.zip' Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
I followed all the steps where permissions are granted to the service account but still this. Have you perhaps encountered this before?
Thanks again for the great guide!
Hi @JSenart, thanks for the feedback! Make sure you run both commands on Step 5 so it binds the necessary roles to your ServiceAccountUser. If you did that, and still doesn't work, please let me know!
Awesome guide, thanks so much! Loads more detail than Google give. Been trying to get this working for hours with Cloud Run, but can't get it to work...
Obviously made a few modifications to the steps, will have another go tomorrow but would be awesome if you made a guide for that too.
Just get this error, no matter how many perms I add:
google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command gcloud beta run deploy *** --quiet --platform managed --region *** --source ./ --project *** --format json
: ERROR: (gcloud.beta.run.deploy) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Hey Leandro! Great read, super easy to follow, thanks! I do have a problem though that maybe you've encountered as well. All steps run without problems up until the deployment. There, I get an error
Extracted project ID 'ordinal-chess-357711' from $GCLOUD_PROJECT Created zip file from './' at '/tmp/cfsrc-052811ef323d6add3eb70d33.zip' Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
I followed all the steps where permissions are granted to the service account but still this. Have you perhaps encountered this before? Thanks again for the great guide!
Hi @JSenart, thanks for the feedback! Make sure you run both commands on Step 5 so it binds the necessary roles to your ServiceAccountUser. If you did that, and still doesn't work, please let me know!
Hi again @leandrotoledo, thanks for your prompt response and sorry for the late reply :). I did complete step 5. Going to the IAM in my project I can see that the github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com service account has the roles:
Thanks again for the attention to this!
excellent run down, thanks! - all worked perfectly
for those needing to deploy via trigger (and change the region) the following should be swapped out in the .yaml file:
- id: "deploy"
uses: "google-github-actions/deploy-cloud-functions@v0"
with:
# Name of the Cloud Function, same as the entry point name
name: "${FUNCTION_NAME}"
# Runtime to use for the function
runtime: "nodejs16"
region: "asia-southeast1" // optional change of region
event_trigger_type: "google.pubsub.topic.publish"
event_trigger_resource: "projects/${PROJECT_VALUE}/topics/${TOPIC_ID}" // ie the string identifying the topic, not anything else
event_trigger_service: "pubsub.googleapis.com"
and if you have already deployed a http version - delete that first, or the trigger version will not deploy if using the same function name
Awesome guide, thanks so much! Loads more detail than Google give. Been trying to get this working for hours with Cloud Run, but can't get it to work...
Obviously made a few modifications to the steps, will have another go tomorrow but would be awesome if you made a guide for that too.
Just get this error, no matter how many perms I add:
google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command
gcloud beta run deploy *** --quiet --platform managed --region *** --source ./ --project *** --format json
: ERROR: (gcloud.beta.run.deploy) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n') Please run:$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Hi @LewisLebentz, I'm writing an article about doing the same on Cloud Run, stay tuned!
Hi again @leandrotoledo, thanks for your prompt response and sorry for the late reply :). I did complete step 5. Going to the IAM in my project I can see that the github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com service account has the roles:
- Cloud Functions Developer
- Service Account User
Thanks again for the attention to this!
Hi @JSenart, do you see a Workload Identity User on IAM & Admin > Service Accounts > github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com > Permissions?
Also, did you create this function outside the GitHub Action workflow? The 2nd gen is not yet supported by it. Try to delete the function on the Console and let it be created by the GitHub Actions workflow and see if you get different results.
excellent run down, thanks! - all worked perfectly
Thank you @gregorvand for the feedback and the additional information on trigger based functions!
Hi again @leandrotoledo, thanks for your prompt response and sorry for the late reply :). I did complete step 5. Going to the IAM in my project I can see that the github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com service account has the roles:
- Cloud Functions Developer
- Service Account User
Thanks again for the attention to this!
Hi @JSenart, do you see a Workload Identity User on IAM & Admin > Service Accounts > github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com > Permissions?
Also, did you create this function outside the GitHub Action workflow? The 2nd gen is not yet supported by it. Try to delete the function on the Console and let it be created by the GitHub Actions workflow and see if you get different results.
On IAM & Admin > Service Accounts > github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com I see:
principalSet://iam.googleapis.com/projects/
To answer your other question I am creating a completely new function which I cleverly called 'unexisting-function' :).
This is perhaps something I should take to the google team and open a ticket in the github action's repo. I. was just very sure that I was doing something wrong because I didn't see anyone else with this problem. What do you think?
Thanks again for your time Leandro!
Awesome guide, thanks so much! Loads more detail than Google give. Been trying to get this working for hours with Cloud Run, but can't get it to work...
Hi @LewisLebentz, check out this article on how to Deploy Docker images on Google Cloud Run using GitHub Actions and Workload Identity Authentication.
This is perhaps something I should take to the google team and open a ticket in the github action's repo. I. was just very sure that I was doing something wrong because I didn't see anyone else with this problem. What do you think?
Hi @JSenart, sorry I couldn't help more, as I can't reproduce the issue you are having :/ I believe it's a great idea trying to reach out to the dev team on google-github-actions/deploy-cloud-functions. Keep us posted if you find the solution! Good luck!
@JSenart did you find a solution to your problem. I'm experiencing the same issue.
@JSenart did you find a solution to your problem. I'm experiencing the same issue.
@ianyoung i did not. I simply used a different auth method (credentials in GitHub secrets) and it worked fine
@JSenart It's down to the --attribute-mapping
when creating the provider. Details here.
Deploying Google Cloud Functions using GitHub Actions and Workload Identity authentication
In this article, we will cover how to create a Workload Identity that works with GitHub Actions while deploying a simple Google Cloud Functions
https://blog.leandrotoledo.org/deploying-google-cloud-functions-using-github-actions-and-workload-identity-authentication/