auth: Usage with terraform: target service indicated by the "audience" parameters is invalid
Hi! Wondering how to use this with terraform (-gcs). My workflow errors out with:
Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/xxx-terraform-state/o?alt=json&delimiter=%2F&pageToken=&prefix=terraform%2Fstate%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/terraform-ci-cd@xxx.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
Workflow:
jobs:
test:
permissions:
contents: read
id-token: 'write'
name: terraform
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v2
-
uses: hashicorp/setup-terraform@v1
-
name: Terraform fmt
run: terraform fmt -check=true
-
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0.3.0
with:
access_token_lifetime: 900s
workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/main-pool/providers/github
service_account: terraform@xxx.iam.gserviceaccount.com
create_credentials_file: true
activate_credentials_file: true
-
name: Terraform Init
run: terraform init
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 17 (17 by maintainers)
Ah! the workload identity provider is with the project number not the project id, so it is with this wierd number:
workload_identity_provider: 'projects/132456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'