Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getAccessToken denied issue #455

Closed
Izopi4a opened this issue Dec 1, 2024 · 4 comments
Closed

getAccessToken denied issue #455

Izopi4a opened this issue Dec 1, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@Izopi4a
Copy link

Izopi4a commented Dec 1, 2024
edited
Loading

TL;DR

i am getting this error, and i am unable to find out what the problem is

google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for [email protected]: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

I checked https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md
point 5 is different for me, and it doesn't seems to be working like the example there? provider needs to be existing in the URL

I was following a tutorial and saved my cli commands. here they are:

# Service accounts

gcloud iam service-accounts create github-actions-service-account \
--description="A service account for use in a GitHub Actions workflow" \
--display-name="GitHub Actions service account."


gcloud artifacts repositories add-iam-policy-binding docker \
--location=europe-west3 \
--role=roles/artifactregistry.createOnPushWriter \
--member=serviceAccount:github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com

gcloud artifacts repositories add-iam-policy-binding helm-charts \
--location=europe-west3 \
--role=roles/artifactregistry.createOnPushWriter \
--member=serviceAccount:github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com

# grant on 

# follow this URL as well https://cloud.google.com/docs/authentication/use-service-account-impersonation#enable-apis

#workload ?

gcloud iam workload-identity-pools create "my-app-dev-pool" \
  --project=PROJECT_ID \
  --location=global \
  --display-name="Identity pool for my test app"

gcloud iam workload-identity-pools providers create-oidc "github-actions-provider" \
--location="global" \
--workload-identity-pool="my-app-dev-pool" \
--display-name="Provider for GitHub Actions" \
--issuer-uri="https://token.actions.githubusercontent.com" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="my rule" <- this seems to be working, because if I change it to make it wrong, an error is shown saying this fails

here is my identify federation from the UI

image

here are my service account permissions
image

Expected behavior

not to fail

Observed behavior

No response

Action YAML

name: Push to Artifact Registry

on:
  push:
    tags:
      - 'v*.*.*'

env:
  IMAGE_NAME: 'whatever'
  PROJECT_ID: 'PROJECT'
  AR_REPO_LOCATION: 'europe-west3'
  AR_URL: 'europe-west3-docker.pkg.dev/PROJECT/whatever'
  SERVICE_ACCOUNT: '[email protected]'
  WORKLOAD_IDENTITY_PROVIDER: 'projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider'

jobs:
  push_to_ar:
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v2'
        with:
          token_format: 'access_token'
          project_id: ${{ env.PROJECT_ID }}
          service_account: ${{ env.SERVICE_ACCOUNT }}
          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}

      - name: Docker Auth
        id: docker-auth
        uses: 'docker/login-action@v1'
        with:
          username: 'oauth2accesstoken'
          password: '${{ steps.auth.outputs.access_token }}'
          registry: '${{ env.AR_REPO_LOCATION }}-docker.pkg.dev'

      - name: Build and Push Container
        run: |-
          echo $RELEASE_VERSION
          docker build -t "${{ env.AR_URL }}/${{ env.IMAGE_NAME }}:${{ github.RELEASE_VERSION }}" ./
          docker push "${{ env.AR_URL }}/${{ env.IMAGE_NAME }}:${{ github.RELEASE_VERSION }}"

Log output

##[debug]Evaluating condition for step: 'Google Auth'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Google Auth
##[debug]Register post job cleanup for action: google-github-actions/auth@v2
##[debug]Loading inputs
##[debug]Evaluating: env.PROJECT_ID
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'PROJECT_ID'
##[debug]=> 'PROJECT_ID'
##[debug]Result: 'PROJECT_ID'
##[debug]Evaluating: env.SERVICE_ACCOUNT
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'SERVICE_ACCOUNT'
##[debug]=> 'github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com'
##[debug]Result: 'github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com'
##[debug]Evaluating: env.WORKLOAD_IDENTITY_PROVIDER
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'WORKLOAD_IDENTITY_PROVIDER'
##[debug]=> 'projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider'
##[debug]Result: 'projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider'
##[debug]Loading env
Run google-github-actions/auth@v2
##[debug]Using workload identity provider "projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider"
##[debug]ID token url is https://pipelinesghubeus8.actions.githubusercontent.com/XzsLlYVG2gNQT1R8bIDCzr7g9PPPPrurgkyanRYtURWvpujcRJ/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/6793247b-1a5c-4e25-bcf1-965143d0a525/jobs/dfea778b-37b1-5c13-8237-4657ab9f5727/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F123456%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fmy-app-dev-pool%2Fproviders%2Fgithub-actions-provider
::add-mask::***
##[debug]WorkloadIdentityFederationClient: Computed audience, //iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider
##[debug]Creating credentials file
##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Enabling service account impersonation via https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com:generateAccessToken
##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Creating credentials, {
##[debug]  "outputPath": "/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json"
##[debug]}
Created credentials file at "/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json"
##[debug]WorkloadIdentityFederationClient.getToken: Built request, {
##[debug]  "method": "POST",
##[debug]  "path": "https://sts.googleapis.com/v1/token",
##[debug]  "headers": {},
##[debug]  "body": {
##[debug]    "audience": "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider",
##[debug]    "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
##[debug]    "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
##[debug]    "scope": "https://www.googleapis.com/auth/cloud-platform",
##[debug]    "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
##[debug]    "subjectToken": "***"
##[debug]  }
##[debug]}
##[debug]Successfully generated auth token
::add-mask::***
##[debug]Creating access token
##[debug]Using normal access token flow
##[debug]IAMCredentialsClient.generateAccessToken: Built request, {
##[debug]  "method": "POST",
##[debug]  "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com:generateAccessToken",
##[debug]  "headers": {
##[debug]    "Authorization": "***"
##[debug]  },
##[debug]  "body": {
##[debug]    "scope": [
##[debug]      "https://www.googleapis.com/auth/cloud-platform"
##[debug]    ],
##[debug]    "lifetime": "3600s"
##[debug]  }
##[debug]}
Error: google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}
##[debug]Node Action run completed with exit code 1
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json'
##[debug]CLOUDSDK_CORE_PROJECT='PROJECT_ID'
##[debug]CLOUDSDK_PROJECT='PROJECT_ID'
##[debug]GCLOUD_PROJECT='PROJECT_ID'
##[debug]GCP_PROJECT='PROJECT_ID'
##[debug]GOOGLE_CLOUD_PROJECT='PROJECT_ID'
##[debug]Set output credentials_file_path = /home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json
##[debug]Set output project_id = PROJECT_ID
##[debug]Set output auth_token = ***
##[debug]Finishing: Google Auth

Additional information

No response
@Izopi4a Izopi4a added the bug Something isn't working label Dec 1, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 1, 2024

Hi there @Izopi4a 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

This was referenced Dec 2, 2024
Closed
Merged
@sethvargo
Copy link
Member

Did you grant the WIF identity (principalSet://...) permissions to impersonate your service account? This is step 5 in the guide in the readme: https://github.com/google-github-actions/auth?tab=readme-ov-file#indirect-wif

screenshot-20241201200601@2x

@Izopi4a
Copy link
Author

Izopi4a commented Dec 2, 2024
edited
Loading

hi, thx for the help. Seems to me you are right. Your example is much clear then google's one.

I am not sure what "my-secret" is? do you think you could help me figure it out? i assume here i need to create a secret https://console.cloud.google.com/security/secret-manager/create?project=project, but i am not sure what do I need to store

edit: nvm i somehow got lost on the scroll. I added the command and it is seems to be fine. Thanks a lot!

sethvargo added a commit that referenced this issue Dec 2, 2024
@sethvargo
Update TROUBLESHOOTING.md (#457)
83354ca 
Fix a bunch of issues since GitHub apparently dropped support for
special callouts.

Refs #455

Signed-off-by: Seth Vargo <[email protected]>
@sethvargo
Copy link
Member

"my-secret" is just an example that shows how to grant IAM permissions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sethvargo @Izopi4a