The incoming JSON object does not contain a client_email field - github actions - google

[domanskijan]

Are you certain it's a bug?

• [X] Yes, it looks like a bug

Is the issue caused by a plugin?

• [X] It is not a plugin issue

Are you using the latest version?

• [X] Yes, I'm using the latest version

Is there an existing issue for this?

• [X] I have searched existing issues, it hasn't been reported yet

Issue description

Hi,

I'm trying to set integration with github actions (using Identity federation) to deploy cloud function to GCP but I have not idea why I'm getting error : The incoming JSON object does not contain a client_email field

I've set up roles for service account :

gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/cloudfunctions.developer"

gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser"

My githubactions pipeline:

name: Build and Deploy fun
on:
  push:
    branches: 
    - master
    paths:
    - 'fun/**'

jobs:
    build-deploy:
      name: Build and Deploy to GCP
      runs-on: ubuntu-latest
      permissions:
        contents: "read"
        id-token: "write"
      strategy:
        matrix:
          node-version: [14.x]   
      steps:
      - name: Checkout
        uses: actions/checkout@v2

      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v0'
        with:
          workload_identity_provider: 'projects/XYZ/locations/global/workloadIdentityPools/github-actions/providers/github'
          service_account: 'github-actions@XYZiam.gserviceaccount.com'

      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}

      - name: serverless install plugins
        uses: serverless/github-action@v3
        with:
          args: plugin install -n serverless-google-cloudfunctions

      - name: serverless deploy
        uses: serverless/github-action@v3
        with:
          args: -c "cd ./fun && serverless deploy"
          entrypoint: /bin/sh`

Service configuration (serverless.yml) content

service: cloud-functions

provider:
  name: google
  runtime: nodejs14
  region: us-central1
  project: XYZ

plugins:
  - serverless-google-cloudfunctions
package:
  exclude:
    - node_modules/**
    - .gitignore
    - .git/**

functions:
  test:
    handler: http
    events:
      - http: path

Command name and used flags

serverless deploy

Command output

Error:
Error: The incoming JSON object does not contain a client_email field
    at JWT.fromJSON (/github/workspace/node_modules/google-auth-library/build/src/auth/jwtclient.js:195:19)
    at GoogleAuth._cacheClientFromJSON (/github/workspace/node_modules/google-auth-library/build/src/auth/googleauth.js:301:16)
    at ReadStream.<anonymous> (/github/workspace/node_modules/google-auth-library/build/src/auth/googleauth.js:336:40)
    at ReadStream.emit (events.js:412:35)
    at ReadStream.emit (domain.js:475:12)
    at endReadableNT (internal/streams/readable.js:1334:12)
    at processTicksAndRejections (internal/process/task_queues.js:82:21)

1 deprecation found: run 'serverless doctor' for more details

Environment information

serverless/github-action@v3
Environment: linux, node 14.19.1, framework 3.14.0, plugin 6.2.2, SDK 4.3.2

[jagarcia29]

I'm also having the same issue. Any updates or suggestions?

[jcelmeta14]

If this is happening to you, it could be due to the fact that you might be using a method for authenticating that might not be supported by the google auth library that this plugin is using. In our case we were also using keyless authentication with github actions (with identity federation). Here's the workaround:

Resolve the version of the nested google-auth-library to at least version 7.0 (we went up to the latest version available to date 9.6.3 because the breaking changes seemed inconsequential to us). We are using yarn, so you can do this using package.json resolutions. The github action from google automatically sets environment variables, and the plugin correctly picks them up.

PS: This is unrelated, but might be helpful to somebody. We also had some troubles with the mappings of the attributes. Make sure you have the correct mappings :)