Solved: Github actions to GCP OIDC error: Permission 'clou...

Navid · 09-20-2024 08:46 AM

I followed the steps given at for the Direct Workload Identity Federation.

My yaml file includes:

- uses: 'google-github-actions/auth@v2'
  with:
    project_id: 'my-project'
    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/github/providers/providerID'

In my Github Runner I successfully see:

Run google-github-actions/auth@v2
Created credentials file at "/home/runner/work/repo/repo/gha-creds-1234.json"

I am successfully able to create a NewKeyManagementClient since it does not error out using:

client, err = kms.NewKeyManagementClient(ctx)

While setting up I granted access to kms keyrings using:

gcloud kms keyrings add-iam-policy-binding  "test" \
--location="global" \
  --project="my-project" \
  --role="roles/cloudkms.admin" \
  --member="principalSet://iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/github/attribute.repository/my-org/my-github-repo"

my-github-repo is my actual Github Repo name. This is different from providerID present in the yaml. My actual repo name is only 3 letters long and GCP does not allow me to set it as the OIDC Provider value (I see nothing on the docs to suggest these have to be the same value as well).

And after performing gcloud kms keyrings get-iam-policy test --location=global

I successfully see this IAM present. However, I see this error in the Github CI at a later stage

rpc error: code = PermissionDenied desc = Permission 'cloudkms.keyRings.list' denied on resource 'projects/***/locations/***' (or it may not exist)

In my google console for my provider, I see the Attribute Conditions as

assertion.repository_owner == 'my-org'

Where am I going wrong?

DamianS

Hello @Navid ,Welcome on Google Cloud Community.

Does your Service Account have KMS permissions assigned ?

gha-creds-1234

Reason I'm asking is because, WIF is only a "way" of authentication for your 3rd party application ( in this case GH Actions). So in fact, your Service Account should have mandatory permissions, not principalSet from WIF. You should think about WIF as a replacement for standard Service Account Keys.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

View solution in original post

DamianS

Hello @Navid ,Welcome on Google Cloud Community.

Does your Service Account have KMS permissions assigned ?

gha-creds-1234

Reason I'm asking is because, WIF is only a "way" of authentication for your 3rd party application ( in this case GH Actions). So in fact, your Service Account should have mandatory permissions, not principalSet from WIF. You should think about WIF as a replacement for standard Service Account Keys.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

Navid

Hey @DamianS , I haven't created a service account for this. According to this link, I should be able to get this GitHub action working without a service account and is the preferred way to do it? Please correct me if I'm wrong.

Thanks,

Navid

DamianS

@Navid
I’ve was not aware about such possibility ;d however, this is my concern “However, not all Google Cloud resources support principalSet identities, and the resulting token has a maximum lifetime of 10 minutes. Please see the documentation for your Google Cloud service for more information.” I”ll try to recreate this at my own infra and let you know.
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

Navid

Hey @DamianS , I got it working by adding a service account and binding the iam policy to it. Still not quite sure why it wasn't working without the service account though.

Thanks,

Navid

DamianS

Most probably due to mentioned restrictions. If your issue has been resolved, remember to mark best reply as solution.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

Github actions to GCP OIDC error: Permission 'cloudkms.keyRings.list' denied on resource