moonston
commented
2 years ago Hello, very good job :+1 is it possible to deploy 2nd gen?
Open utterances-bot opened 2 years ago
moonston
commented
2 years ago Hello, very good job :+1 is it possible to deploy 2nd gen?
JSenart
commented
2 years ago Hey Leandro! Great read, super easy to follow, thanks! I do have a problem though that maybe you've encountered as well. All steps run without problems up until the deployment. There, I get an error
Extracted project ID 'ordinal-chess-357711' from $GCLOUD_PROJECT Created zip file from './' at '/tmp/cfsrc-052811ef323d6add3eb70d33.zip' Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
I followed all the steps where permissions are granted to the service account but still this. Have you perhaps encountered this before?
Thanks again for the great guide!
leandrotoledo
commented
2 years ago Hello, very good job :+1 is it possible to deploy 2nd gen?
@moonston Not with this setup at the moment, but it's being tracked here for future implementation.
leandrotoledo
commented
2 years ago Hey Leandro! Great read, super easy to follow, thanks! I do have a problem though that maybe you've encountered as well. All steps run without problems up until the deployment. There, I get an error
Extracted project ID 'ordinal-chess-357711' from $GCLOUD_PROJECT Created zip file from './' at '/tmp/cfsrc-052811ef323d6add3eb70d33.zip' Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
I followed all the steps where permissions are granted to the service account but still this. Have you perhaps encountered this before?
Thanks again for the great guide!
Hi @JSenart, thanks for the feedback! Make sure you run both commands on Step 5 so it binds the necessary roles to your ServiceAccountUser. If you did that, and still doesn't work, please let me know!
LewisLebentz
commented
2 years ago Awesome guide, thanks so much! Loads more detail than Google give. Been trying to get this working for hours with Cloud Run, but can't get it to work...
Obviously made a few modifications to the steps, will have another go tomorrow but would be awesome if you made a guide for that too.
Just get this error, no matter how many perms I add:
google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command gcloud beta run deploy *** --quiet --platform managed --region *** --source ./ --project *** --format json: ERROR: (gcloud.beta.run.deploy) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n')
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNTto select an already authenticated account to use.
JSenart
commented
2 years ago Hey Leandro! Great read, super easy to follow, thanks! I do have a problem though that maybe you've encountered as well. All steps run without problems up until the deployment. There, I get an error
Extracted project ID 'ordinal-chess-357711' from $GCLOUD_PROJECT Created zip file from './' at '/tmp/cfsrc-052811ef323d6add3eb70d33.zip' Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: The caller does not have permission
I followed all the steps where permissions are granted to the service account but still this. Have you perhaps encountered this before? Thanks again for the great guide!
Hi @JSenart, thanks for the feedback! Make sure you run both commands on Step 5 so it binds the necessary roles to your ServiceAccountUser. If you did that, and still doesn't work, please let me know!
Hi again @leandrotoledo, thanks for your prompt response and sorry for the late reply :). I did complete step 5. Going to the IAM in my project I can see that the github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com service account has the roles:
Thanks again for the attention to this!
gregorvand
commented
2 years ago excellent run down, thanks! - all worked perfectly
for those needing to deploy via trigger (and change the region) the following should be swapped out in the .yaml file:
- id: "deploy"
uses: "google-github-actions/deploy-cloud-functions@v0"
with:
# Name of the Cloud Function, same as the entry point name
name: "${FUNCTION_NAME}"
# Runtime to use for the function
runtime: "nodejs16"
region: "asia-southeast1" // optional change of region
event_trigger_type: "google.pubsub.topic.publish"
event_trigger_resource: "projects/${PROJECT_VALUE}/topics/${TOPIC_ID}" // ie the string identifying the topic, not anything else
event_trigger_service: "pubsub.googleapis.com"and if you have already deployed a http version - delete that first, or the trigger version will not deploy if using the same function name
leandrotoledo
commented
2 years ago Awesome guide, thanks so much! Loads more detail than Google give. Been trying to get this working for hours with Cloud Run, but can't get it to work...
Obviously made a few modifications to the steps, will have another go tomorrow but would be awesome if you made a guide for that too.
Just get this error, no matter how many perms I add:
google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command
gcloud beta run deploy *** --quiet --platform managed --region *** --source ./ --project *** --format json: ERROR: (gcloud.beta.run.deploy) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials: No access token or invalid expiration in response.', '{\n "error": {\n "code": 403,\n "message": "The caller does not have permission",\n "status": "PERMISSION_DENIED"\n }\n}\n') Please run:$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNTto select an already authenticated account to use.
Hi @LewisLebentz, I'm writing an article about doing the same on Cloud Run, stay tuned!
leandrotoledo
commented
2 years ago Hi again @leandrotoledo, thanks for your prompt response and sorry for the late reply :). I did complete step 5. Going to the IAM in my project I can see that the github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com service account has the roles:
- Cloud Functions Developer
- Service Account User
Thanks again for the attention to this!
Hi @JSenart, do you see a Workload Identity User on IAM & Admin > Service Accounts > github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com > Permissions?
Also, did you create this function outside the GitHub Action workflow? The 2nd gen is not yet supported by it. Try to delete the function on the Console and let it be created by the GitHub Actions workflow and see if you get different results.
leandrotoledo
commented
2 years ago excellent run down, thanks! - all worked perfectly
Thank you @gregorvand for the feedback and the additional information on trigger based functions!
JSenart
commented
2 years ago Hi again @leandrotoledo, thanks for your prompt response and sorry for the late reply :). I did complete step 5. Going to the IAM in my project I can see that the github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com service account has the roles:
- Cloud Functions Developer
- Service Account User
Thanks again for the attention to this!
Hi @JSenart, do you see a Workload Identity User on IAM & Admin > Service Accounts > github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com > Permissions?
Also, did you create this function outside the GitHub Action workflow? The 2nd gen is not yet supported by it. Try to delete the function on the Console and let it be created by the GitHub Actions workflow and see if you get different results.
On IAM & Admin > Service Accounts > github-actions-service-account@autobnb-cloud.iam.gserviceaccount.com I see:
principalSet://iam.googleapis.com/projects/
To answer your other question I am creating a completely new function which I cleverly called 'unexisting-function' :).
This is perhaps something I should take to the google team and open a ticket in the github action's repo. I. was just very sure that I was doing something wrong because I didn't see anyone else with this problem. What do you think?
Thanks again for your time Leandro!
leandrotoledo
commented
2 years ago Awesome guide, thanks so much! Loads more detail than Google give. Been trying to get this working for hours with Cloud Run, but can't get it to work...
Hi @LewisLebentz, check out this article on how to Deploy Docker images on Google Cloud Run using GitHub Actions and Workload Identity Authentication.
leandrotoledo
commented
2 years ago This is perhaps something I should take to the google team and open a ticket in the github action's repo. I. was just very sure that I was doing something wrong because I didn't see anyone else with this problem. What do you think?
Hi @JSenart, sorry I couldn't help more, as I can't reproduce the issue you are having :/ I believe it's a great idea trying to reach out to the dev team on google-github-actions/deploy-cloud-functions. Keep us posted if you find the solution! Good luck!
ianyoung
commented
1 year ago @JSenart did you find a solution to your problem. I'm experiencing the same issue.
JSenart
commented
1 year ago @JSenart did you find a solution to your problem. I'm experiencing the same issue.
@ianyoung i did not. I simply used a different auth method (credentials in GitHub secrets) and it worked fine
ianyoung
commented
1 year ago @JSenart It's down to the --attribute-mapping when creating the provider. Details here.
Deploying Google Cloud Functions using GitHub Actions and Workload Identity authentication
In this article, we will cover how to create a Workload Identity that works with GitHub Actions while deploying a simple Google Cloud Functions
https://blog.leandrotoledo.org/deploying-google-cloud-functions-using-github-actions-and-workload-identity-authentication/