Cannot configure the github-oidc workload identity federation

[wassp-ds]

TL;DR

Not sure if it's a bug or a question, but getting the wrong output of the IAM principal when configuring the provider for workload identity federation to authenticate

Expected behavior

Expected output: principalSet://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/NAME_OF_YOUR_POOL/attribute.repository_owner/my-user

Observed behavior

principal://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/github-wif-pool/subject/SUBJECT_ATTRIBUTE_VALUE

Action YAML

on:
  pull_request:
    types: ["closed"]
    branches: [dev]
env:
  IMAGE_NAME: {{ env.IMAGE_NAME }}

concurrency:
  group: ci-deploy-dev-${{ github.ref }}
  cancel-in-progress: true

jobs:
  dev-deploy:
    runs-on: ubuntu-latest
    environment: {{ env.ENVIRONMENT }}

    permissions: # Necessary for workload identity provider
      contents: "read"
      id-token: "write"

    if: github.event.pull_request.merged == true
    steps:
      - uses: actions/checkout@v4
      # 1. Sets and prints variables
      - name: Sets variables
        id: variables
        run: |
          # 1. Sets vars
          IMAGE_REGISTRY="{{ env.REGION }}/${{ secrets.PROJECT_ID }}/${{ env.IMAGE_NAME }}"
          IMAGE_TAG="{{ env.ENVIRONMENT }}-${{ github.run_number }}"
          # 2. Set vars as env
          echo "IMAGE_REGISTRY=$IMAGE_REGISTRY" >> $GITHUB_ENV
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

      - name: Print variables
        run: |
          echo "IMAGE_TAG=$IMAGE_TAG"
          echo "IMAGE_REGISTRY=$IMAGE_REGISTRY"

      # 2. Auth
      - name: Authenticate via Workload Identity Federation
        id: auth
        uses: google-github-actions/[email protected]
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SERVICE_ACCOUNT }}
...REDACTED

Log output

Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.googleapis.com/***: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}

Additional information

[github-actions]

Hi there @wassp-ds 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

"subject" uniquely identifies a caller, so you use principal://. The other attributes/assertions are a logical grouping, so they use principalSet://: https://cloud.google.com/iam/docs/principal-identifiers

[wassp-ds]

So what am I doing wrong that I am getting the IAM Principal output the way I am? 🙂

[sethvargo]

Sorry, I don't understand the question. The error has nothing to do with your IAM Principal - it's saying the aud value is incorrect. What is the audience for your WIF pool?

[wassp-ds]

@sethvargo I just realised it has nothing to do with the auth tool per se, so not gonna bother further 🙂