auth: Optional `audience` key is invalid when unspecified

TL;DR

The docs here say audience is an optional key in the GitHub actions configuration. But when I run my action without the key specified, I get the following error:

image

Expected behavior

To run successfully without specifying an audience key.

Observed behavior

It says the audience key is invalid.

Action YAML

name: Deploy - Production

on:
  workflow_dispatch:
    inputs:
      deployables:
        description: 'backend/client/dispatch.yaml'
        default: 'backend client'
        required: true
      message:
        description: 'What updates are you deploying?'
        required: true

concurrency: production_environment

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Disable client deploys
        if: contains(github.event.inputs.deployables, 'client')
        run: |
          # echo "::error::The client cannot be deployed at this time. See Slack for details."
          # exit 1

      - name: Disable backend deploys
        if: contains(github.event.inputs.deployables, 'backend')
        run: |
          # echo "::error::The backend cannot be deployed at this time. See Slack for details."
          # exit 1

      - name: Checkout code
        uses: actions/checkout@v2

      - id: 'auth'
        name: 'Authenticate to GCP'
        uses: 'google-github-actions/auth@v0.4.1'
        with:
          workload_identity_provider:
            ${{ secrets.WORKLOAD_ID_PROVIDER_PRODUCTION }}
          service_account: ${{ secrets.SERVICE_ACCOUNT_PRODUCTION }}

      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v0.3.0

      - name: Generate version tag
        run: |
          commit_hash=$(git rev-parse --short=7 HEAD)
          echo "version_tag=$(TZ=:UTC date +%Y-%m-%dt%H-%M-%Sutc-$commit_hash)" >> $GITHUB_ENV

      - name: Deploy
        run: |
          ${GITHUB_WORKSPACE}/deploy --production --message="${{ github.event.inputs.message }}" --actor="$GITHUB_ACTOR" --version=${{ env.version_tag }} ${{ github.event.inputs.deployables }}

      - name: Create Release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ env.version_tag }}
          release_name: ${{ github.event.inputs.message }}
          draft: false
          prerelease: false

Additional information

This works fine as configured in our staging environment, which is a separate Google Cloud project.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 23 (8 by maintainers)

Most upvoted comments

Hey @selfagency yea - you must use the numeric project number. There’s an open feature request to also support the project id, but there’s no timeline for when that feature will be released.

Does switching to the project number fix your issue?

+1
sethvargo on Jan 7, 2022
Read more comments on GitHub
← auth: Not Being Able To impersonate for Domain-Wide Delegation.
auth: Usage with terraform: target service indicated by the "audience" parameters is invalid →