This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Invalid principalSet member

Posted on 07-07-2024 12:21 AM
jamescrosswell
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm trying to grant GitHub Actions access to push containers to my artifact repository, per this blog post (which is the most comprehensive tutorial I've found on this so far). All seems to go well until I get to the "Allow to push container images" step at which point I receive an error:

INVALID_ARGUMENT: Invalid principalSet member

So, great... the argument I'm providing is invalid. Fair enough. How do I know what a valid principalSet member is though? What about the principalSet member that I'm providing makes it invalid? How can I debug this and work through it basically???

2 4 1,089
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Hello @jamescrosswell  ,Welcome on Google Cloud Community.

Use Logs Explorer for such debugging https://cloud.google.com/logging/docs/view/logs-explorer-interface

You can either filter for Artifact Registry resource or use life data (Stream logs option) when you've executing GH Actions. 

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

0 Likes

Posted on --/--/---- --:-- AM
jamescrosswell
Bronze 1
Bronze 1
In response to DamianS
Reply posted on --/--/---- --:-- AM

Hi @DamianS ,

Thanks for the reply. Unfortunately the logs don't contain any more useful information... just the same "Invalid principalSet member" message that I get when running the command from the terminal. 

The logs do include full JSON for the API call that was made by the gcloud cli, but since the JSON is valid and the API is being called just fine, that doesn't help work through the error.

0 Likes

Posted on --/--/---- --:-- AM
jamescrosswell
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

OK I think I might have found a few things that help. If I login to console.cloud.google.com, under IAM > Workload Identity Federation I can see the pools and provider. If I go to the details for the provider in question and select "Default Audience", under the description for the default audience is a key that is almost identical to what I'm passing as the principalSet member. There are two differences:

  1. When passing the principalSet member from the gcloud cli, I'm prefixing it with principalSet:// whereas in the console it's prefixed with https://
  2. In the console there is no suffix... whereas from the cli I'm suffixing it with /attribute.repository/$GITHUB_REPO_NAME - attribute.repository is one of the custom attributes defined for the provider:

jamescrosswell_0-1720512240732.png

As far as I can tell then, the principalSet member I'm providing is correct... obviously it's not but the logs are no use. How else can I work out what the problem is?

0 Likes

Posted on --/--/---- --:-- AM
jamescrosswell
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

OK, I finally got it going. There are some docs describing the construction of a principal and a principalSet... after reading those docs very carefully and comparing the principalSet I was using, I saw the docs suggest the following to specify a principalSet describing entities with a specific attribute value:

 

principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE

 

I had been using the following (incorrect) principalSet:

 

principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE

 

So had an extra /providers/PROVIDER_ID stuffed in there after the POOL_ID basically. 

Top Solution Authors
View all