getAccessToken denied issue #455
Description
TL;DR
i am getting this error, and i am unable to find out what the problem is
google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for github-actions-service-account@PROJECT.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}I checked https://github.com/google-github-actions/auth/blob/main/docs/TROUBLESHOOTING.md
point 5 is different for me, and it doesn't seems to be working like the example there? provider needs to be existing in the URL
I was following a tutorial and saved my cli commands. here they are:
# Service accounts
gcloud iam service-accounts create github-actions-service-account \
--description="A service account for use in a GitHub Actions workflow" \
--display-name="GitHub Actions service account."
gcloud artifacts repositories add-iam-policy-binding docker \
--location=europe-west3 \
--role=roles/artifactregistry.createOnPushWriter \
--member=serviceAccount:github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com
gcloud artifacts repositories add-iam-policy-binding helm-charts \
--location=europe-west3 \
--role=roles/artifactregistry.createOnPushWriter \
--member=serviceAccount:github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com
# grant on
# follow this URL as well https://cloud.google.com/docs/authentication/use-service-account-impersonation#enable-apis
#workload ?
gcloud iam workload-identity-pools create "my-app-dev-pool" \
--project=PROJECT_ID \
--location=global \
--display-name="Identity pool for my test app"
gcloud iam workload-identity-pools providers create-oidc "github-actions-provider" \
--location="global" \
--workload-identity-pool="my-app-dev-pool" \
--display-name="Provider for GitHub Actions" \
--issuer-uri="https://token.actions.githubusercontent.com" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="my rule" <- this seems to be working, because if I change it to make it wrong, an error is shown saying this fails
here is my identify federation from the UI
here are my service account permissions
Expected behavior
not to fail
Observed behavior
No response
Action YAML
name: Push to Artifact Registry
on:
push:
tags:
- 'v*.*.*'
env:
IMAGE_NAME: 'whatever'
PROJECT_ID: 'PROJECT'
AR_REPO_LOCATION: 'europe-west3'
AR_URL: 'europe-west3-docker.pkg.dev/PROJECT/whatever'
SERVICE_ACCOUNT: 'github-actions-service-account@PROJECT.iam.gserviceaccount.com'
WORKLOAD_IDENTITY_PROVIDER: 'projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider'
jobs:
push_to_ar:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set env
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Google Auth
id: auth
uses: 'google-github-actions/auth@v2'
with:
token_format: 'access_token'
project_id: ${{ env.PROJECT_ID }}
service_account: ${{ env.SERVICE_ACCOUNT }}
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
- name: Docker Auth
id: docker-auth
uses: 'docker/login-action@v1'
with:
username: 'oauth2accesstoken'
password: '${{ steps.auth.outputs.access_token }}'
registry: '${{ env.AR_REPO_LOCATION }}-docker.pkg.dev'
- name: Build and Push Container
run: |-
echo $RELEASE_VERSION
docker build -t "${{ env.AR_URL }}/${{ env.IMAGE_NAME }}:${{ github.RELEASE_VERSION }}" ./
docker push "${{ env.AR_URL }}/${{ env.IMAGE_NAME }}:${{ github.RELEASE_VERSION }}"Log output
##[debug]Evaluating condition for step: 'Google Auth'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Google Auth
##[debug]Register post job cleanup for action: google-github-actions/auth@v2
##[debug]Loading inputs
##[debug]Evaluating: env.PROJECT_ID
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'PROJECT_ID'
##[debug]=> 'PROJECT_ID'
##[debug]Result: 'PROJECT_ID'
##[debug]Evaluating: env.SERVICE_ACCOUNT
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'SERVICE_ACCOUNT'
##[debug]=> 'github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com'
##[debug]Result: 'github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com'
##[debug]Evaluating: env.WORKLOAD_IDENTITY_PROVIDER
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'WORKLOAD_IDENTITY_PROVIDER'
##[debug]=> 'projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider'
##[debug]Result: 'projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider'
##[debug]Loading env
Run google-github-actions/auth@v2
##[debug]Using workload identity provider "projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider"
##[debug]ID token url is https://pipelinesghubeus8.actions.githubusercontent.com/XzsLlYVG2gNQT1R8bIDCzr7g9PPPPrurgkyanRYtURWvpujcRJ/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/6793247b-1a5c-4e25-bcf1-965143d0a525/jobs/dfea778b-37b1-5c13-8237-4657ab9f5727/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F123456%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fmy-app-dev-pool%2Fproviders%2Fgithub-actions-provider
::add-mask::***
##[debug]WorkloadIdentityFederationClient: Computed audience, //iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider
##[debug]Creating credentials file
##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Enabling service account impersonation via https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com:generateAccessToken
##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Creating credentials, {
##[debug] "outputPath": "/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json"
##[debug]}
Created credentials file at "/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json"
##[debug]WorkloadIdentityFederationClient.getToken: Built request, {
##[debug] "method": "POST",
##[debug] "path": "https://sts.googleapis.com/v1/token",
##[debug] "headers": {},
##[debug] "body": {
##[debug] "audience": "//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-app-dev-pool/providers/github-actions-provider",
##[debug] "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
##[debug] "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
##[debug] "scope": "https://www.googleapis.com/auth/cloud-platform",
##[debug] "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
##[debug] "subjectToken": "***"
##[debug] }
##[debug]}
##[debug]Successfully generated auth token
::add-mask::***
##[debug]Creating access token
##[debug]Using normal access token flow
##[debug]IAMCredentialsClient.generateAccessToken: Built request, {
##[debug] "method": "POST",
##[debug] "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com:generateAccessToken",
##[debug] "headers": {
##[debug] "Authorization": "***"
##[debug] },
##[debug] "body": {
##[debug] "scope": [
##[debug] "https://www.googleapis.com/auth/cloud-platform"
##[debug] ],
##[debug] "lifetime": "3600s"
##[debug] }
##[debug]}
Error: google-github-actions/auth failed with: failed to generate Google Cloud OAuth 2.0 Access Token for github-actions-service-account@PROJECT_ID.iam.gserviceaccount.com: {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
##[debug]Node Action run completed with exit code 1
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json'
##[debug]CLOUDSDK_CORE_PROJECT='PROJECT_ID'
##[debug]CLOUDSDK_PROJECT='PROJECT_ID'
##[debug]GCLOUD_PROJECT='PROJECT_ID'
##[debug]GCP_PROJECT='PROJECT_ID'
##[debug]GOOGLE_CLOUD_PROJECT='PROJECT_ID'
##[debug]Set output credentials_file_path = /home/runner/work/oauth/oauth/gha-creds-2913ee2125e73f70.json
##[debug]Set output project_id = PROJECT_ID
##[debug]Set output auth_token = ***
##[debug]Finishing: Google Auth
Additional information
No response