auth: Not Being Able To impersonate for Domain-Wide Delegation.

TL;DR

  • Generating OAuth2.0 Access Token for Impersonating Domain-Wide Delegation fails
  • Since authenticating Service Account by feeding the credentials_json runs successfully, I believe this issue is specific to Domain-Wide Delegation.
  • The Service account is granted roles/iam.serviceAccountTokenCreator and roles/iam.workloadIdentityUser

Expected behavior

GitHub Action is able to retrieve an access tokens created for Domain-Wide Delegation.

Observed behavior

An access token subject was specified, triggering Domain-Wide Delegation flow. This flow does not support specifying an access token lifetime of greater than 1 hour. Error: google-github-actions/auth failed with: failed to sign JWT using gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com: { “error”: { “code”: 403, “message”: “The caller does not have permission”, “status”: “PERMISSION_DENIED” } }

Action YAML

---
name: "[dev] fetch audit logs"

env:
  MIN_LOG_SEVERITY: DEBUG
  TZ: 'Asia/Tokyo'
  ENV: dev
  GITHUB_BRANCH: develop

on:
  # pull_request: # for debug
  workflow_dispatch:
  schedule:
    - cron: '0 10 * * *' # 1 AM JST

permissions:
  id-token: write
  contents: read

jobs:
  fetch-audit-log:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: 'google-workspace'
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: ${{ env.GITHUB_BRANCH }}
      - id: google-auth 
        # This one successfully runs
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_TMP }}'
      - id: google-auth-2
        # This one successfully runs
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: 'projects/{{PROJECT_ID}}/locations/global/workloadIdentityPools/${{POOL_NAME}}/providers/${{PROVIDER_NAME}}'
          service_account:  'gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com'
      - id: google-auth-3
        # This one fails
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v0
        with:
          token_format: 'access_token'
          workload_identity_provider: 'projects/{{PROJECT_ID}}/locations/global/workloadIdentityPools/${{POOL_NAME}}/providers/${{PROVIDER_NAME}}'
          service_account:  'gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com'
#           access_token_scopes: 'https://www.googleapis.com/auth/admin.reports.audit.readonly'
          access_token_subject: 'sa@example.com' # email address in GWS

Log output

2022-05-13T12:29:40.1623907Z Requested labels: ubuntu-latest
2022-05-13T12:29:40.1623966Z Job defined at: ${{ORG}}/${{REPO}}/.github/workflows/fetch-audit-log_dev.yml@refs/heads/github-action-google-auth
2022-05-13T12:29:40.1623990Z Waiting for a runner to pick up this job...
2022-05-13T12:29:40.4800233Z Job is waiting for a hosted runner to come online.
2022-05-13T12:29:45.2868962Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2022-05-13T12:29:50.0707577Z Current runner version: '2.291.1'
2022-05-13T12:29:50.0739564Z ##[group]Operating System
2022-05-13T12:29:50.0740593Z Ubuntu
2022-05-13T12:29:50.0740952Z 20.04.4
2022-05-13T12:29:50.0741264Z LTS
2022-05-13T12:29:50.0741638Z ##[endgroup]
2022-05-13T12:29:50.0742052Z ##[group]Virtual Environment
2022-05-13T12:29:50.0742555Z Environment: ubuntu-20.04
2022-05-13T12:29:50.0742991Z Version: 20220508.1
2022-05-13T12:29:50.0743697Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220508.1/images/linux/Ubuntu2004-Readme.md
2022-05-13T12:29:50.0744460Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220508.1
2022-05-13T12:29:50.0745062Z ##[endgroup]
2022-05-13T12:29:50.0745511Z ##[group]Virtual Environment Provisioner
2022-05-13T12:29:50.0745952Z 1.0.0.0-main-20220421-1
2022-05-13T12:29:50.0746330Z ##[endgroup]
2022-05-13T12:29:50.0747074Z ##[group]GITHUB_TOKEN Permissions
2022-05-13T12:29:50.0747728Z Contents: read
2022-05-13T12:29:50.0748302Z Metadata: read
2022-05-13T12:29:50.0748747Z ##[endgroup]
2022-05-13T12:29:50.0753317Z Secret source: Actions
2022-05-13T12:29:50.0753867Z Prepare workflow directory
2022-05-13T12:29:50.1960620Z Prepare all required actions
2022-05-13T12:29:50.2180645Z Getting action download info
2022-05-13T12:29:50.4584091Z Download action repository 'actions/checkout@v2' (SHA:7884fcad6b5d53d10323aee724dc68d8b9096a2e)
2022-05-13T12:29:50.7876931Z Download action repository 'google-github-actions/auth@v0' (SHA:b258a9f230b36c9fa86dfaa43d1906bd76399edb)
2022-05-13T12:29:50.9419977Z Download action repository 'actions/setup-go@v3' (SHA:fcdc43634adb5f7ae75a9d7a9b9361790f7293e2)
2022-05-13T12:29:51.1323807Z Download action repository 'actions/cache@v3.0.1' (SHA:136d96b4aee02b1f0de3ba493b1d47135042d9c0)
2022-05-13T12:29:51.3668058Z Download action repository 'aws-actions/configure-aws-credentials@v1.6.0' (SHA:ea7b857d8a33dc2fb4ef5a724500044281b49a5e)
2022-05-13T12:29:51.8839272Z ##[group]Run actions/checkout@v2
2022-05-13T12:29:51.8839712Z with:
2022-05-13T12:29:51.8839993Z   ref: develop
2022-05-13T12:29:51.8840310Z   repository: ${{ORG}}/${{REPO}}
2022-05-13T12:29:51.8840946Z   token: ***
2022-05-13T12:29:51.8841226Z   ssh-strict: true
2022-05-13T12:29:51.8841561Z   persist-credentials: true
2022-05-13T12:29:51.8841887Z   clean: true
2022-05-13T12:29:51.8842167Z   fetch-depth: 1
2022-05-13T12:29:51.8842464Z   lfs: false
2022-05-13T12:29:51.8842734Z   submodules: false
2022-05-13T12:29:51.8843060Z   set-safe-directory: true
2022-05-13T12:29:51.8843368Z env:
2022-05-13T12:29:51.8843655Z   MIN_LOG_SEVERITY: DEBUG
2022-05-13T12:29:51.8843958Z   TZ: Asia/Tokyo
2022-05-13T12:29:51.8844211Z   ENV: dev
2022-05-13T12:29:51.8844495Z   GITHUB_BRANCH: develop
2022-05-13T12:29:51.8844815Z   AWS_ACCOUNT_ID: xxxxxxx
2022-05-13T12:29:51.8845390Z   AWS_ASSUME_ROLE: xxxxxxx
2022-05-13T12:29:51.8845989Z   GO_VERSION: 1.17.2
2022-05-13T12:29:51.8846272Z ##[endgroup]
2022-05-13T12:29:52.1749516Z Syncing repository: ${{ORG}}/${{REPO}}
2022-05-13T12:29:52.1752466Z ##[group]Getting Git version info
2022-05-13T12:29:52.1753626Z Working directory is '/home/runner/work/${{REPOP}}/$${{REPO}}'
2022-05-13T12:29:52.1755038Z [command]/usr/bin/git version
2022-05-13T12:29:52.1861256Z git version 2.36.1
2022-05-13T12:29:52.1878853Z ##[endgroup]
2022-05-13T12:29:52.1903146Z Temporarily overriding HOME='/home/runner/work/_temp/e7d67131-5032-4b90-9d43-1be92d0da22f' before making global git config changes
2022-05-13T12:29:52.1904212Z Adding repository directory to the temporary git global config as a safe directory
2022-05-13T12:29:52.1905168Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/clos/clos
2022-05-13T12:29:52.2025214Z Deleting the contents of '/home/runner/work/clos/clos'
2022-05-13T12:29:52.2032389Z ##[group]Initializing the repository
2022-05-13T12:29:52.2034327Z [command]/usr/bin/git init /home/runner/work/clos/clos
2022-05-13T12:29:52.2068945Z hint: Using 'master' as the name for the initial branch. This default branch name
2022-05-13T12:29:52.2069948Z hint: is subject to change. To configure the initial branch name to use in all
2022-05-13T12:29:52.2070858Z hint: of your new repositories, which will suppress this warning, call:
2022-05-13T12:29:52.2071244Z hint: 
2022-05-13T12:29:52.2071768Z hint: 	git config --global init.defaultBranch <name>
2022-05-13T12:29:52.2072139Z hint: 
2022-05-13T12:29:52.2072641Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2022-05-13T12:29:52.2073296Z hint: 'development'. The just-created branch can be renamed via this command:
2022-05-13T12:29:52.2073702Z hint: 
2022-05-13T12:29:52.2074147Z hint: 	git branch -m <name>
2022-05-13T12:29:52.2074754Z Initialized empty Git repository in /home/runner/work/${{REPO}}/${{REP{O}}/.git/
2022-05-13T12:29:52.2364383Z [command]/usr/bin/git remote add origin https://github.com/${{ORG}}/${{REPO}}
2022-05-13T12:29:52.2365241Z ##[endgroup]
2022-05-13T12:29:52.2365898Z ##[group]Disabling automatic garbage collection
2022-05-13T12:29:52.2412074Z [command]/usr/bin/git config --local gc.auto 0
2022-05-13T12:29:52.2442378Z ##[endgroup]
2022-05-13T12:29:52.2443072Z ##[group]Setting up auth
2022-05-13T12:29:52.2444634Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-05-13T12:29:52.2497570Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-05-13T12:29:52.3033100Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-05-13T12:29:52.3060596Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-05-13T12:29:52.3349273Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2022-05-13T12:29:52.3412427Z ##[endgroup]
2022-05-13T12:29:52.3413714Z ##[group]Fetching the repository
2022-05-13T12:29:52.3415568Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +refs/heads/develop*:refs/remotes/origin/develop* +refs/tags/develop*:refs/tags/develop*
2022-05-13T12:29:52.7627728Z remote: Enumerating objects: 96, done.        
2022-05-13T12:29:52.7632999Z remote: Counting objects:   1% (1/96)        
2022-05-13T12:29:52.7634048Z remote: Counting objects:   2% (2/96)        
2022-05-13T12:29:52.7634682Z remote: Counting objects:   3% (3/96)        
2022-05-13T12:29:52.7635567Z remote: Counting objects:   4% (4/96)        
2022-05-13T12:29:52.7636176Z remote: Counting objects:   5% (5/96)        
2022-05-13T12:29:52.7637010Z remote: Counting objects:   6% (6/96)        
2022-05-13T12:29:52.7637614Z remote: Counting objects:   7% (7/96)        
2022-05-13T12:29:52.7638477Z remote: Counting objects:   8% (8/96)        
2022-05-13T12:29:52.7639094Z remote: Counting objects:   9% (9/96)        
2022-05-13T12:29:52.7639962Z remote: Counting objects:  10% (10/96)        
2022-05-13T12:29:52.7640582Z remote: Counting objects:  11% (11/96)        
2022-05-13T12:29:52.7641457Z remote: Counting objects:  12% (12/96)        
2022-05-13T12:29:52.7642052Z remote: Counting objects:  13% (13/96)        
2022-05-13T12:29:52.7642902Z remote: Counting objects:  14% (14/96)        
2022-05-13T12:29:52.7643519Z remote: Counting objects:  15% (15/96)        
2022-05-13T12:29:52.7644365Z remote: Counting objects:  16% (16/96)        
2022-05-13T12:29:52.7645108Z remote: Counting objects:  17% (17/96)        
2022-05-13T12:29:52.7645959Z remote: Counting objects:  18% (18/96)        
2022-05-13T12:29:52.7646566Z remote: Counting objects:  19% (19/96)        
2022-05-13T12:29:52.7647422Z remote: Counting objects:  20% (20/96)        
2022-05-13T12:29:52.7648022Z remote: Counting objects:  21% (21/96)        
2022-05-13T12:29:52.7648871Z remote: Counting objects:  22% (22/96)        
2022-05-13T12:29:52.7649773Z remote: Counting objects:  23% (23/96)        
2022-05-13T12:29:52.7650635Z remote: Counting objects:  25% (24/96)        
2022-05-13T12:29:52.7651240Z remote: Counting objects:  26% (25/96)        
2022-05-13T12:29:52.7652080Z remote: Counting objects:  27% (26/96)        
2022-05-13T12:29:52.7652665Z remote: Counting objects:  28% (27/96)        
2022-05-13T12:29:52.7653524Z remote: Counting objects:  29% (28/96)        
2022-05-13T12:29:52.7654233Z remote: Counting objects:  30% (29/96)        
2022-05-13T12:29:52.7655082Z remote: Counting objects:  31% (30/96)        
2022-05-13T12:29:52.7655687Z remote: Counting objects:  32% (31/96)        
2022-05-13T12:29:52.7656543Z remote: Counting objects:  33% (32/96)        
2022-05-13T12:29:52.7657146Z remote: Counting objects:  34% (33/96)        
2022-05-13T12:29:52.7658305Z remote: Counting objects:  35% (34/96)        
2022-05-13T12:29:52.7658910Z remote: Counting objects:  36% (35/96)        
2022-05-13T12:29:52.7660081Z remote: Counting objects:  37% (36/96)        
2022-05-13T12:29:52.7660712Z remote: Counting objects:  38% (37/96)        
2022-05-13T12:29:52.7662102Z remote: Counting objects:  39% (38/96)        
2022-05-13T12:29:52.7663766Z remote: Counting objects:  40% (39/96)        
2022-05-13T12:29:52.7664374Z remote: Counting objects:  41% (40/96)        
2022-05-13T12:29:52.7665062Z remote: Counting objects:  42% (41/96)        
2022-05-13T12:29:52.7665938Z remote: Counting objects:  43% (42/96)        
2022-05-13T12:29:52.7666524Z remote: Counting objects:  44% (43/96)        
2022-05-13T12:29:52.7667031Z remote: Counting objects:  45% (44/96)        
2022-05-13T12:29:52.7667532Z remote: Counting objects:  46% (45/96)        
2022-05-13T12:29:52.7668032Z remote: Counting objects:  47% (46/96)        
2022-05-13T12:29:52.7668525Z remote: Counting objects:  48% (47/96)        
2022-05-13T12:29:52.7669247Z remote: Counting objects:  50% (48/96)        
2022-05-13T12:29:52.7669772Z remote: Counting objects:  51% (49/96)        
2022-05-13T12:29:52.7670323Z remote: Counting objects:  52% (50/96)        
2022-05-13T12:29:52.7670826Z remote: Counting objects:  53% (51/96)        
2022-05-13T12:29:52.7671327Z remote: Counting objects:  54% (52/96)        
2022-05-13T12:29:52.7671820Z remote: Counting objects:  55% (53/96)        
2022-05-13T12:29:52.7672313Z remote: Counting objects:  56% (54/96)        
2022-05-13T12:29:52.7672809Z remote: Counting objects:  57% (55/96)        
2022-05-13T12:29:52.7673309Z remote: Counting objects:  58% (56/96)        
2022-05-13T12:29:52.7673785Z remote: Counting objects:  59% (57/96)        
2022-05-13T12:29:52.7674470Z remote: Counting objects:  60% (58/96)        
2022-05-13T12:29:52.7674970Z remote: Counting objects:  61% (59/96)        
2022-05-13T12:29:52.7675461Z remote: Counting objects:  62% (60/96)        
2022-05-13T12:29:52.7675964Z remote: Counting objects:  63% (61/96)        
2022-05-13T12:29:52.7676450Z remote: Counting objects:  64% (62/96)        
2022-05-13T12:29:52.7676945Z remote: Counting objects:  65% (63/96)        
2022-05-13T12:29:52.7677438Z remote: Counting objects:  66% (64/96)        
2022-05-13T12:29:52.7678158Z remote: Counting objects:  67% (65/96)        
2022-05-13T12:29:52.7678667Z remote: Counting objects:  68% (66/96)        
2022-05-13T12:29:52.7679165Z remote: Counting objects:  69% (67/96)        
2022-05-13T12:29:52.7679661Z remote: Counting objects:  70% (68/96)        
2022-05-13T12:29:52.7680152Z remote: Counting objects:  71% (69/96)        
2022-05-13T12:29:52.7680640Z remote: Counting objects:  72% (70/96)        
2022-05-13T12:29:52.7681134Z remote: Counting objects:  73% (71/96)        
2022-05-13T12:29:52.7681612Z remote: Counting objects:  75% (72/96)        
2022-05-13T12:29:52.7682102Z remote: Counting objects:  76% (73/96)        
2022-05-13T12:29:52.7682795Z remote: Counting objects:  77% (74/96)        
2022-05-13T12:29:52.7683527Z remote: Counting objects:  78% (75/96)        
2022-05-13T12:29:52.7684033Z remote: Counting objects:  79% (76/96)        
2022-05-13T12:29:52.7684705Z remote: Counting objects:  80% (77/96)        
2022-05-13T12:29:52.7685205Z remote: Counting objects:  81% (78/96)        
2022-05-13T12:29:52.7686655Z remote: Counting objects:  82% (79/96)        
2022-05-13T12:29:52.7687051Z remote: Counting objects:  83% (80/96)        
2022-05-13T12:29:52.7687440Z remote: Counting objects:  84% (81/96)        
2022-05-13T12:29:52.7687827Z remote: Counting objects:  85% (82/96)        
2022-05-13T12:29:52.7688401Z remote: Counting objects:  86% (83/96)        
2022-05-13T12:29:52.7688917Z remote: Counting objects:  87% (84/96)        
2022-05-13T12:29:52.7689305Z remote: Counting objects:  88% (85/96)        
2022-05-13T12:29:52.7689681Z remote: Counting objects:  89% (86/96)        
2022-05-13T12:29:52.7690067Z remote: Counting objects:  90% (87/96)        
2022-05-13T12:29:52.7690460Z remote: Counting objects:  91% (88/96)        
2022-05-13T12:29:52.7690863Z remote: Counting objects:  92% (89/96)        
2022-05-13T12:29:52.7691251Z remote: Counting objects:  93% (90/96)        
2022-05-13T12:29:52.7691635Z remote: Counting objects:  94% (91/96)        
2022-05-13T12:29:52.7692028Z remote: Counting objects:  95% (92/96)        
2022-05-13T12:29:52.7692422Z remote: Counting objects:  96% (93/96)        
2022-05-13T12:29:52.7692820Z remote: Counting objects:  97% (94/96)        
2022-05-13T12:29:52.7693208Z remote: Counting objects:  98% (95/96)        
2022-05-13T12:29:52.7693592Z remote: Counting objects: 100% (96/96)        
2022-05-13T12:29:52.7694123Z remote: Counting objects: 100% (96/96), done.        
2022-05-13T12:29:52.7694721Z remote: Compressing objects:   1% (1/82)        
2022-05-13T12:29:52.7695154Z remote: Compressing objects:   2% (2/82)        
2022-05-13T12:29:52.7695570Z remote: Compressing objects:   3% (3/82)        
2022-05-13T12:29:52.7695994Z remote: Compressing objects:   4% (4/82)        
2022-05-13T12:29:52.7696708Z remote: Compressing objects:   6% (5/82)        
2022-05-13T12:29:52.7697144Z remote: Compressing objects:   7% (6/82)        
2022-05-13T12:29:52.7697551Z remote: Compressing objects:   8% (7/82)        
2022-05-13T12:29:52.7697960Z remote: Compressing objects:   9% (8/82)        
2022-05-13T12:29:52.7698374Z remote: Compressing objects:  10% (9/82)        
2022-05-13T12:29:52.7698798Z remote: Compressing objects:  12% (10/82)        
2022-05-13T12:29:52.7704741Z remote: Compressing objects:  13% (11/82)        
2022-05-13T12:29:52.7705387Z remote: Compressing objects:  14% (12/82)        
2022-05-13T12:29:52.7708287Z remote: Compressing objects:  15% (13/82)        
2022-05-13T12:29:52.7708948Z remote: Compressing objects:  17% (14/82)        
2022-05-13T12:29:52.7711839Z remote: Compressing objects:  18% (15/82)        
2022-05-13T12:29:52.7713305Z remote: Compressing objects:  19% (16/82)        
2022-05-13T12:29:52.7713936Z remote: Compressing objects:  20% (17/82)        
2022-05-13T12:29:52.7715383Z remote: Compressing objects:  21% (18/82)        
2022-05-13T12:29:52.7715941Z remote: Compressing objects:  23% (19/82)        
2022-05-13T12:29:52.7717121Z remote: Compressing objects:  24% (20/82)        
2022-05-13T12:29:52.7717514Z remote: Compressing objects:  25% (21/82)        
2022-05-13T12:29:52.7717898Z remote: Compressing objects:  26% (22/82)        
2022-05-13T12:29:52.7718827Z remote: Compressing objects:  28% (23/82)        
2022-05-13T12:29:52.7719215Z remote: Compressing objects:  29% (24/82)        
2022-05-13T12:29:52.7719701Z remote: Compressing objects:  30% (25/82)        
2022-05-13T12:29:52.7722561Z remote: Compressing objects:  31% (26/82)        
2022-05-13T12:29:52.7722978Z remote: Compressing objects:  32% (27/82)        
2022-05-13T12:29:52.7723357Z remote: Compressing objects:  34% (28/82)        
2022-05-13T12:29:52.7723944Z remote: Compressing objects:  35% (29/82)        
2022-05-13T12:29:52.7725495Z remote: Compressing objects:  36% (30/82)        
2022-05-13T12:29:52.7729729Z remote: Compressing objects:  37% (31/82)        
2022-05-13T12:29:52.7730312Z remote: Compressing objects:  39% (32/82)        
2022-05-13T12:29:52.7731029Z remote: Compressing objects:  40% (33/82)        
2022-05-13T12:29:52.7731727Z remote: Compressing objects:  41% (34/82)        
2022-05-13T12:29:52.7732215Z remote: Compressing objects:  42% (35/82)        
2022-05-13T12:29:52.7738039Z remote: Compressing objects:  43% (36/82)        
2022-05-13T12:29:52.7738715Z remote: Compressing objects:  45% (37/82)        
2022-05-13T12:29:52.7798714Z remote: Compressing objects:  46% (38/82)        
2022-05-13T12:29:52.7799433Z remote: Compressing objects:  47% (39/82)        
2022-05-13T12:29:52.7801215Z remote: Compressing objects:  48% (40/82)        
2022-05-13T12:29:52.7801631Z remote: Compressing objects:  50% (41/82)        
2022-05-13T12:29:52.7802019Z remote: Compressing objects:  51% (42/82)        
2022-05-13T12:29:52.7802403Z remote: Compressing objects:  52% (43/82)        
2022-05-13T12:29:52.7802805Z remote: Compressing objects:  53% (44/82)        
2022-05-13T12:29:52.7803177Z remote: Compressing objects:  54% (45/82)        
2022-05-13T12:29:52.7803565Z remote: Compressing objects:  56% (46/82)        
2022-05-13T12:29:52.7803945Z remote: Compressing objects:  57% (47/82)        
2022-05-13T12:29:52.7804322Z remote: Compressing objects:  58% (48/82)        
2022-05-13T12:29:52.7804699Z remote: Compressing objects:  59% (49/82)        
2022-05-13T12:29:52.7807398Z remote: Compressing objects:  60% (50/82)        
2022-05-13T12:29:52.7807847Z remote: Compressing objects:  62% (51/82)        
2022-05-13T12:29:52.7808226Z remote: Compressing objects:  63% (52/82)        
2022-05-13T12:29:52.7808604Z remote: Compressing objects:  64% (53/82)        
2022-05-13T12:29:52.7808981Z remote: Compressing objects:  65% (54/82)        
2022-05-13T12:29:52.7809362Z remote: Compressing objects:  67% (55/82)        
2022-05-13T12:29:52.7809722Z remote: Compressing objects:  68% (56/82)        
2022-05-13T12:29:52.7811929Z remote: Compressing objects:  69% (57/82)        
2022-05-13T12:29:52.7812357Z remote: Compressing objects:  70% (58/82)        
2022-05-13T12:29:52.7812743Z remote: Compressing objects:  71% (59/82)        
2022-05-13T12:29:52.7813128Z remote: Compressing objects:  73% (60/82)        
2022-05-13T12:29:52.7813507Z remote: Compressing objects:  74% (61/82)        
2022-05-13T12:29:52.7813870Z remote: Compressing objects:  75% (62/82)        
2022-05-13T12:29:52.7814245Z remote: Compressing objects:  76% (63/82)        
2022-05-13T12:29:52.7814619Z remote: Compressing objects:  78% (64/82)        
2022-05-13T12:29:52.7814993Z remote: Compressing objects:  79% (65/82)        
2022-05-13T12:29:52.7815367Z remote: Compressing objects:  80% (66/82)        
2022-05-13T12:29:52.7815747Z remote: Compressing objects:  81% (67/82)        
2022-05-13T12:29:52.7816109Z remote: Compressing objects:  82% (68/82)        
2022-05-13T12:29:52.7816486Z remote: Compressing objects:  84% (69/82)        
2022-05-13T12:29:52.7816866Z remote: Compressing objects:  85% (70/82)        
2022-05-13T12:29:52.7817242Z remote: Compressing objects:  86% (71/82)        
2022-05-13T12:29:52.7817621Z remote: Compressing objects:  87% (72/82)        
2022-05-13T12:29:52.7817992Z remote: Compressing objects:  89% (73/82)        
2022-05-13T12:29:52.7818352Z remote: Compressing objects:  90% (74/82)        
2022-05-13T12:29:52.7818726Z remote: Compressing objects:  91% (75/82)        
2022-05-13T12:29:52.7819100Z remote: Compressing objects:  92% (76/82)        
2022-05-13T12:29:52.7819906Z remote: Compressing objects:  93% (77/82)        
2022-05-13T12:29:52.7821386Z remote: Compressing objects:  95% (78/82)        
2022-05-13T12:29:52.7822094Z remote: Compressing objects:  96% (79/82)        
2022-05-13T12:29:52.7823151Z remote: Compressing objects:  97% (80/82)        
2022-05-13T12:29:52.7823752Z remote: Compressing objects:  98% (81/82)        
2022-05-13T12:29:52.7824754Z remote: Compressing objects: 100% (82/82)        
2022-05-13T12:29:52.7825380Z remote: Compressing objects: 100% (82/82), done.        
2022-05-13T12:29:52.8286228Z remote: Total 96 (delta 18), reused 49 (delta 9), pack-reused 0        
2022-05-13T12:29:52.8556918Z From https://github.com/${{ORG}}/${{REPO}}
2022-05-13T12:29:52.8557853Z  * [new branch]      develop    -> origin/develop
2022-05-13T12:29:52.8573620Z ##[endgroup]
2022-05-13T12:29:52.8574239Z ##[group]Determining the checkout info
2022-05-13T12:29:52.8580786Z [command]/usr/bin/git branch --list --remote origin/develop
2022-05-13T12:29:52.8615910Z   origin/develop
2022-05-13T12:29:52.8622263Z ##[endgroup]
2022-05-13T12:29:52.8623134Z ##[group]Checking out the ref
2022-05-13T12:29:52.8628643Z [command]/usr/bin/git checkout --progress --force -B develop refs/remotes/origin/develop
2022-05-13T12:29:52.8834051Z Switched to a new branch 'develop'
2022-05-13T12:29:52.8835140Z branch 'develop' set up to track 'origin/develop'.
2022-05-13T12:29:52.8842753Z ##[endgroup]
2022-05-13T12:29:52.8900151Z [command]/usr/bin/git log -1 --format='%H'
2022-05-13T12:29:52.8935983Z '9dbaa62ebc38735bf7a794c606c88fa654edc2de'
2022-05-13T12:29:52.9269889Z ##[group]Run google-github-actions/auth@v0
2022-05-13T12:29:52.9270268Z with:
2022-05-13T12:29:52.9270552Z   token_format: access_token
2022-05-13T12:29:52.9271119Z   workload_identity_provider: projects/395146694571/locations/global/workloadIdentityPools/${{POOL_ID}}/providers/github-action
2022-05-13T12:29:52.9271843Z   service_account: gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com
2022-05-13T12:29:52.9272353Z   access_token_subject: sa@example.com
2022-05-13T12:29:52.9272718Z   create_credentials_file: true
2022-05-13T12:29:52.9273078Z   export_environment_variables: true
2022-05-13T12:29:52.9273432Z   cleanup_credentials: true
2022-05-13T12:29:52.9273764Z   access_token_lifetime: 3600s
2022-05-13T12:29:52.9274205Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-05-13T12:29:52.9274652Z   id_token_include_email: false
2022-05-13T12:29:52.9274939Z env:
2022-05-13T12:29:52.9275205Z   MIN_LOG_SEVERITY: DEBUG
2022-05-13T12:29:52.9275531Z   TZ: Asia/Tokyo
2022-05-13T12:29:52.9275785Z   ENV: dev
2022-05-13T12:29:52.9276061Z   GITHUB_BRANCH: develop
2022-05-13T12:29:52.9276366Z   AWS_ACCOUNT_ID: xxxxxx
2022-05-13T12:29:52.9276919Z   AWS_ASSUME_ROLE: xxxxxx
2022-05-13T12:29:52.9277449Z   GO_VERSION: 1.17.2
2022-05-13T12:29:52.9277717Z ##[endgroup]
2022-05-13T12:29:53.2423822Z Created credentials file at "/home/runner/work/clos/clos/gha-creds-029129737f17a4ef.json"
2022-05-13T12:29:53.2427997Z 
2022-05-13T12:29:53.2463556Z 
2022-05-13T12:29:53.2481857Z An access token subject was specified, triggering Domain-Wide Delegation flow. This flow does not support specifying an access token lifetime of greater than 1 hour.
2022-05-13T12:29:53.3970417Z ##[error]google-github-actions/auth failed with: failed to sign JWT using gws-access@${{PROJECT_ID}}.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}
2022-05-13T12:29:53.4096962Z Post job cleanup.
2022-05-13T12:29:53.4859073Z Removed exported credentials at "/home/runner/work/clos/clos/gha-creds-029129737f17a4ef.json".
2022-05-13T12:29:53.4984195Z Post job cleanup.
2022-05-13T12:29:53.6485352Z [command]/usr/bin/git version
2022-05-13T12:29:53.6547661Z git version 2.36.1
2022-05-13T12:29:53.6592145Z Temporarily overriding HOME='/home/runner/work/_temp/5d04b7b9-fb2d-44d3-ac27-e7e565b9c97f' before making global git config changes
2022-05-13T12:29:53.6593221Z Adding repository directory to the temporary git global config as a safe directory
2022-05-13T12:29:53.6598970Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/${{REPO}}/${{REPO}}
2022-05-13T12:29:53.6646503Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2022-05-13T12:29:53.6687097Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :
2022-05-13T12:29:53.7008066Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2022-05-13T12:29:53.7038551Z http.https://github.com/.extraheader
2022-05-13T12:29:53.7050943Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2022-05-13T12:29:53.7092029Z [command]/usr/bin/git submodule foreach --recursive git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :
2022-05-13T12:29:53.7609907Z Cleaning up orphan processes

Additional information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

@fujikky fixed in https://github.com/google-github-actions/auth/pull/178 and will be released as 0.7.3. Thanks for catching that, and I’m glad to see this is working for you now.

@ken5scal which client library is that, and which version are you using? In general, you should never need to parse GOOGLE_APPLICATION_CREDENTIALS, since all the official google SDKs automatically look for that environment variable and use it for authentication. reports.NewService(ctx) should “just work”

+1
sethvargo on May 18, 2022

@sethvargo It finally worked! 🎉

First, I founded that the attribute.repository was missing in the provider’s attributes! I redid the README steps and set the correct attributes. Sorry for my mistake.

Next, I found a bug in the auth action. The code to suppress the warning, fixed 2 days ago, does not seem to pass through the buildDomainWideDelegationJWT if the access_token_lifetime exceeds 3600 seconds. https://github.com/google-github-actions/auth/blob/714f1fe243ca012171c3f4b3ec7d205bcb3589c9/src/main.ts#L213

It should be fix like this: 
diff --git a/src/main.ts b/src/main.ts
index 5f82809..aba9498 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -210,13 +210,14 @@ async function run(): Promise<void> {
         // perform Domain-Wide Delegation. Otherwise, use the modern IAM
         // Credentials endpoints.
         let accessToken, expiration;
-        if (accessTokenSubject && accessTokenLifetime > 3600) {
-          logInfo(
-            `An access token subject was specified, triggering Domain-Wide ` +
-              `Delegation flow. This flow does not support specifying an ` +
-              `access token lifetime of greater than 1 hour.`,
-          );
-
+        if (accessTokenSubject) {
+          if (accessTokenLifetime > 3600) {
+            logInfo(
+              `An access token subject was specified, triggering Domain-Wide ` +
+                `Delegation flow. This flow does not support specifying an ` +
+                `access token lifetime of greater than 1 hour.`,
+            );
+          }
           const unsignedJWT = buildDomainWideDelegationJWT(
             serviceAccount,
             accessTokenSubject,

I changed to the previous version uses: google-github-actions/auth@v0.7.1 in my actions yaml, and the impersonated access token was worked successfully.

+1
fujikky on May 18, 2022

@ken5scal Thanks for the info! However, adding access_token_scopes did not solve the problem.

Here is the YAML of the Actions I tried.

- id: auth
  uses: google-github-actions/auth@v0
  with:
    workload_identity_provider: projects/00000000000/locations/global/workloadIdentityPools/github-actions/providers/foo-provider
    service_account: foo@bar-project-id.iam.gserviceaccount.com
    token_format: access_token
    access_token_scopes: https://www.googleapis.com/auth/spreadsheets
    access_token_subject: user@example.com
    access_token_lifetime: 1800s

I got the same error message.

An access token subject was specified, triggering Domain-Wide Delegation flow. This flow does not support specifying an access token lifetime of greater than 1 hour.
Error: google-github-actions/auth failed with: failed to sign JWT using foo@bar-project-id.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}
+1
fujikky on May 16, 2022
Read more comments on GitHub
← generative-ai-python: ValueError: The `response.text` quick accessor only works for simple (single-`Part`) text responses. This response is not simple text.Use the `result.parts` accessor or the full `result.candidates[index].content.parts` lookup instead.
auth: Optional `audience` key is invalid when unspecified →