v0.3.1 - error code 403 The Caller Does Not Have Permission

[ssay-work]

TL;DR

Getting 403 error when authenticating to GCP. Two weeks (10/19) ago same exact workflow passed successfully. We did not change anything with our GCP IAM user and anything in the workflow. We followed the readme in setting up and I verified that nothing has changed on that user.

Expected behavior

Successful authentication.

Observed behavior

"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}

Reproduction

Follow setup steps in readme and create a github action for Oauth2.0

Action YAML

    steps:
    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v0.3.1'
      with:
        token_format: 'access_token'
        workload_identity_provider: 'projects/########/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
        service_account: 'github-actions@#######.iam.gserviceaccount.com'

Additional information

No, we are in POC phase for deploying to GCP using GitHub actions and using this action is part of it.

[sethvargo]

Hi @ssay-work - did you see the upgrade notes for 0.3.1?

[ssay-work]

Yes, I did -- version 0.3.1 was the only version we started with (two weeks ago).

[sethvargo]

Hi @ssay-work - I just checked and my workflows are still running fine. Can you share the full run output? If this is a public repo, can you point me to the workflow run? It would also be helpful to have the output of:

gcloud iam workload-identity-pools providers describe github-actions-provider --location global --workload-identity-pool github-actions-pool

[ssay-work]

Unfortunately this is a private repo.

here is the output of the command:

attributeMapping:
  attribute.actor: assertion.actor
  attribute.aud: assertion.aud
  attribute.repository: assertion.repository
  google.subject: assertion.sub
displayName: Github provider
name: projects/#########/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
oidc:
  issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE

I can go through the readme setups steps again. We did not change anything in the last two weeks when this last worked and it wasnt readily apparent to me what the issue is.

Is there anything else I can check?

[sethvargo]

How is your IAM policy configured? Sorry - it's rather difficult to debug without understanding the complete setup or seeing the complete output. There should be text before that error that says something like "failed to generate Google Cloud federated token" or a hint as to where the invocation is failing.

[ssay-work]

Full error output

Action failed with error: Error: failed to generate Google Cloud access token for github-actions@########.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

the service account has all the privs granted to it as stated from the readme, including additional roles that we gave it during our initial phase.

[sethvargo]

Hi @ssay-work

That tells me that the OIDC exchange was successful (you successfully minted a GitHub OIDC token and exchanged it for a Google Cloud Federated Token), but then the resulting Federated Token did not have permissions to generate an OAuth 2.0 Access Token from the authentication.

Does your principal have roles/iam.workloadIdentityUser permissions on github-actions@########.iam.gserviceaccount.com? What are your IAM bindings?

[ssay-work]

yes it does. Results of this query:
gcloud iam service-accounts get-iam-policy "github-actions@${PROJECT_ID}.iam.gserviceaccount.com"

bindings:
- members:
  - principalSet://iam.googleapis.com/projects/########/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/agero-private/*
  role: roles/iam.workloadIdentityUser
etag: XXXXXXXX
version: 1

[sethvargo]

Are you able to confirm that the attribute.repository value is being mapped correctly? I think it would be better to map against repository_owner instead of using the splat here.

[ssay-work]

I believe it is correct, but let me update this to repository_owner and I'll report back.

[ssay-work]

adding the binding for repository_owner worked.

I appreciate the response on this.