Doc missing something?

[olivers-xaxis]

TL;DR

Step 6 of the WIF via Service Account in the readme shows github actions workflow yaml that only has the pool ID. I could not get that to work, I had to add the service account line using the service_account attribute. This should be added.

Also, I could not get Direct WIF (preferred) to work.

Expected behavior

Code copy from direct method, after replacing placeholders, should work out of the box

Observed behavior

It does not work, for both the WIF methods. I got the 2nd WIF method to work by adding the service account ID to the with clause.

Action YAML

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - id: auth
        name: Authenticate to GCP
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/YOUR_PROJ_NUMBER/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions
          service_account: github-actions@YOUR_PROJ_ID.iam.gserviceaccount.com

Log output

No response

Additional information

No response

[github-actions]

Hi there @olivers-xaxis 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @olivers-xaxis - please provide the debug logs or error message(s) you're getting.

Step 6 of the WIF via Service Account in the readme shows github actions workflow yaml that only has the pool ID. I could not get that to work, I had to add the service account line using the service_account attribute. This should be added.

The code block is demonstrating where you set the workload_identity_provider value; it is not meant to be a copy-pasteable example, since there are many required and optional parameters which are documented above. However, I'll add service_account since it's required in this case. However, there are other fields like project_id which may be conditionally required, which is explained above.

Also, I could not get Direct WIF (preferred) to work.

Do you have more information? Debug logs? Error messages?

[olivers-xaxis]

Sure I should be able to do that Friday

[olivers-xaxis]

OK so I investigated the failure I was getting. When I did it again, knowing more now than I did then, your steps worked.

HOWEVER I think we can do better on the last step of the Direct method (normally I'd be happy to submit a PR but I'm still too new to GCP -- 95% of my cloud years are in AWS). OIDC should be made as easy to setup as possible, leading to a safer web. I have setup OIDC for github in AWS very easily in the past, but being new to GCP IAM I used the console. The latest version has a Grant Access on the Pool page where you can specify the repository to match, and the service account to assume when the repo matches. I think this corresponds to the last step, but the binding would be on the service account to the pool and assertion.repo. So something like showing

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_EMAIL \
  --project="${PROJECT_ID}" \
  --role roles/iam.workloadIdentityPoolUser \
  --member workload-identity-pool/POOL_NAME/LOCATION/POOL_ID/attribute.repository/ORG_NAME/REPO_NAME

AFAIK, if I'm setting up a brand new service account to be used with a brand new pool, I will absolutely need to do the above.

[sethvargo]

Sorry, I'm not following. Do you have screenshots of what you're seeing on the console? Please note that this repo does not intend to be an authoritative source for Google Cloud documentation. We provide a few key user journeys. Advanced configuration options and general instructions for OIDC/WIF are at: https://cloud.google.com/iam/docs/workload-identity-federation

[olivers-xaxis]

How about I submit a PR, it will be easier for you to see what I mean. You can adjust further if I say anything wrong.

[sethvargo]

Sure, sg.

[sethvargo]

Hey @olivers-xaxis - did you have a chance to look into this yet?