Menu
I am trying to create a GithubAction job, which should authenticate in GCP via Identity federation and upload some files to a bucket.
Here is the full source code of GitHub action.
In this job I have such a step which doesn't work:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: 'projects/736194043976/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: '[email protected]'
token_format: 'access_token'
Unfortunately, it fails with 403 error:
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to generate Google Cloud access token for [email protected]: (403) {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
My service account [email protected] has enough permissions:
And the principal is set (i added random roles for testing):
Also, my-pool and my-provider are configured according to the tutorial and connected with the service account.
Here is an audit log from GCP:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist)."
},
"authenticationInfo": {
"serviceAccountDelegationInfo": [
{}
],
"principalSubject": "principal://iam.googleapis.com/projects/736194043976/locations/global/workloadIdentityPools/my-pool/subject/repo:vyshkov/gcp-serverless:ref:refs/heads/main"
},
"requestMetadata": {
"callerIp": "172.176.229.16",
"callerSuppliedUserAgent": "google-github-actions:auth/1.0.0,gzip(gfe)",
"requestAttributes": {
"time": "2023-02-26T15:54:55.543085043Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iamcredentials.googleapis.com",
"methodName": "GenerateAccessToken",
"authorizationInfo": [
{
"permission": "iam.serviceAccounts.getAccessToken",
"resourceAttributes": {}
}
],
"resourceName": "projects/-/serviceAccounts/103065049355271736573",
"request": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
"name": "projects/-/serviceAccounts/[email protected]"
},
"metadata": {
"identityDelegationChain": [
"projects/-/serviceAccounts/[email protected]"
]
}
},
"insertId": "sbbvpke10rst",
"resource": {
"type": "service_account",
"labels": {
"unique_id": "103065049355271736573",
"email_id": "[email protected]",
"project_id": "learning-words-trial"
}
},
"timestamp": "2023-02-26T15:54:55.523760524Z",
"severity": "ERROR",
"logName": "projects/learning-words-trial/logs/cloudaudit.googleapis.com%2Fdata_access",
"operation": {
"id": "14170752551549534963",
"producer": "iamcredentials.googleapis.com",
"first": true,
"last": true
},
"receiveTimestamp": "2023-02-26T15:54:56.249222142Z"
}
Can you please point me to where I could make a mistake?
314
A 403 Permission denied error such as Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist) is due to the principalSet on the service account IAM binding not matching the principalSubject making the call.
It is useful to enable Audit logging for iam.googleapis.com and sts.googleapis.com. Refer to public docs for more details.
The STS token is used to impersonate a service account that the principalSubject has been granted roles/iam.workloadIdentityUser role. Additional details on granting access here.
168
answered Jan 01 '26 18:01
you should add the role iam.serviceAccountTokenCreator and if necessary also iam.serviceAccountUser:
gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT@${PROJECT_ID}.iam.gserviceaccount.com" --project="${PROJECT_ID}" --role="roles/iam.serviceAccountTokenCreator" --member=serviceAccount:$SERVICE_ACCOUNT@${PROJECT_ID}.iam.gserviceaccount.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With