Closed asraa closed 2 years ago
Description
The sync job (https://github.com/sigstore/root-signing/blob/main/.github/workflows/sync.yml) uses google-auth action to authenticate to GCP. However, the job's been failing requiring manual updates the GCS bucket (https://github.com/sigstore/root-signing/actions/runs/1642206727) due to
"ServiceException: 401 Anonymous caller does not have storage.objects.create access to the Google Cloud Storage object."
despite being given GCS bucket ownership.
This is currently due to https://github.com/google-github-actions/setup-gcloud#workload-identity-federation-preferred
warning The bq and gsutil tools do no currently support Workload Identity Federation! You will need to use traditional service account key authentication for now.
Might be able to work around this with gcloud storage
https://cloud.google.com/sdk/gcloud/reference/alpha/storage
Description
The sync job (https://github.com/sigstore/root-signing/blob/main/.github/workflows/sync.yml) uses google-auth action to authenticate to GCP. However, the job's been failing requiring manual updates the GCS bucket (https://github.com/sigstore/root-signing/actions/runs/1642206727) due to
"ServiceException: 401 Anonymous caller does not have storage.objects.create access to the Google Cloud Storage object."
despite being given GCS bucket ownership.
This is currently due to https://github.com/google-github-actions/setup-gcloud#workload-identity-federation-preferred