Unable to authenticate using OIDC workload identity when adding attribute condition

[rushminatorr]

TL;DR

Authentication is successfull when principleSet is set to: //iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/*

But fails when I limit it to a private repo under an org. //iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/<GITHUB_ORG>/*

Expected behavior

Authenticate with specific private repository.

Observed behavior

Error: Action failed with error: Error: failed to generate Google Cloud ID token for rush3-service-account@xxxxx.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Action YAML

- id: auth
      name: Authenticate to Google Cloud
      uses: google-github-actions/auth@v0.4.2
      with:
        token_format: id_token
        workload_identity_provider: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
        service_account: rush3-service-account@xxxx.iam.gserviceaccount.com
        access_token_lifetime: '300s'

Additional information

❯ gcloud iam service-accounts get-iam-policy "rush3-service-account@xxxxxx.iam.gserviceaccount.com"
bindings:
- members:
  - principalSet://iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/<GITHUB_ORG>/*
  role: roles/iam.workloadIdentityUser
etag: xxxxxx
version: 1

❯ gcloud iam workload-identity-pools providers describe rush3-provider --location global --workload-identity-pool rush3-pool
attributeMapping:
  attribute.actor: assertion.actor
  attribute.aud: assertion.aud
  attribute.repository: assertion.repository_owner
  google.subject: assertion.sub
displayName: Rush demo provider
name: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
oidc:
  issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE

I have also followed steps described here: #36

[sethvargo]

This comment was edited to fix an error, to prevent people from blindly copy-pasting.

I think you need to specify which attribute you're mapping. The IAM policy should be:

principalSet://iam.googleapis.com/projects/xxxxxxx/locations/global/workloadIdentityPools/rush3-pool/attribute.repository_owner/<GITHUB_ORG>

You also need to make sure you've mapped attribute.repository_owner to assertion.repository_owner in the pool.

[rushminatorr]

I have fixed the mapping. (i tried with both).

❯ gcloud iam workload-identity-pools providers describe rush3-provider --location global --workload-identity-pool rush3-pool
attributeMapping:
  attribute.actor: assertion.actor
  attribute.aud: assertion.aud
  attribute.repository_owner: assertion.repository_owner
  google.subject: assertion.sub
displayName: Rush demo provider
name: projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/providers/rush3-provider
oidc:
  issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE

I am so sorry- i accidentally removed too much when editing ticket.

my IAM policy is setup to:

❯ gcloud iam service-accounts get-iam-policy "rush3-service-account@xxxxxx.gserviceaccount.com"
bindings:
- members:
  - principalSet://iam.googleapis.com/projects/xxxxx/locations/global/workloadIdentityPools/rush3-pool/attribute.repository_owner/<GITHUB_ORG>/*
  role: roles/iam.workloadIdentityUser
etag: xxxx
version: 1

Still getting same error:

Error: google-github-actions/auth failed with: Error: Failed to generate Google Cloud access token for rush3-service-account@xxxx.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

I hope its not cacheing..

[sethvargo]

The original error was failing to generate an ID token, but this error is failing to generate an access token. Please try to limit redaction as it makes it very difficult to debug. It also doesn't make sense as you've set token_format to "id_token" but are setting an access_token_lifetime.

My best guess is that you did not wait long enough. Try again in ~5min. IAM propagation on Workload Identity is eventually consistent.

[rushminatorr]

Apologies for the accidental redaction. Also, you are correct - initially, I had access_token and was trying to troubleshoot with id_token.
I been obsessed to get this to work and muddied up this bug report(should have reset with clear headspace). No excuse - sincere apologies and really grateful for the support.

I did everything from scratch again.
Here are the configs.

    - id: auth
      name: Authenticate to Google Cloud Platform
      uses: google-github-actions/auth@v0.4.2
      with:
        token_format: access_token
        workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/rush4-pool/providers/rush4-provider
        service_account: rush4-service-account@xxx.iam.gserviceaccount.com
        access_token_lifetime: '300s'

❯ gcloud iam workload-identity-pools providers describe rush4-provider --location global --workload-identity-pool rush4-pool
attributeMapping:
  attribute.actor: assertion.actor
  attribute.aud: assertion.aud
  attribute.repository_owner: assertion.repository_owner
  google.subject: assertion.sub
displayName: Rush demo provider
name: projects/xxxx/locations/global/workloadIdentityPools/rush4-pool/providers/rush4-provider
oidc:
  issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE

❯ gcloud iam service-accounts get-iam-policy "rush4-service-account@xxxx.iam.gserviceaccount.com"
bindings:
- members:
  - principalSet://iam.googleapis.com/projects/xxx/locations/global/workloadIdentityPools/rush4-pool/attribute.repository_owner/team-rocos/*
  role: roles/iam.workloadIdentityUser
etag: xxx
version: 1

Error:

Run google-github-actions/auth@v0.4.2
  with:
    token_format: access_token
    workload_identity_provider: projects/xxxx/locations/global/workloadIdentityPools/rush4-pool/providers/rush4-provider
    service_account: rush4-service-account@xxxx.iam.gserviceaccount.com
    access_token_lifetime: 300s
    create_credentials_file: true
    cleanup_credentials: true
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    id_token_include_email: false

Error: google-github-actions/auth failed with: Error: Failed to generate Google Cloud access token for rush4-service-account@xxxx.iam.gserviceaccount.com: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

[rushminatorr]

@sethvargo could you please confirm auth should work with attribute conditions on a private repository? I can close this ticket if you can confirm this. Thanks.

[sethvargo]

@rushminatorr the attribute conditions will work on a private repo (I just tested it), but I think the problem is the "slash" in the org/repo.

If you want to admit all repos in an organization, map on attribute.repository_owner (which will be the org name):

gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project "${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_owner/${ORG_NAME}"

You also need to make sure that attribute.repository_owner is mapped in your attribute mapping to take advantage of that. Note, it's NOT .../attribute.repository_owner/${ORG_NAME}/*, it's .../attribute.repository_owner/${ORG_NAME}. I was incorrect above.

I just confirmed this setup is working for me, in a private repository, with the repository_owner binding.

[rushminatorr]

okay thank you! i will test this.

[dobromyslov]

This definitely should be mentioned in the configuration docs. I've just struggled the same trouble.

[divyangjp]

@rushminatorr the attribute conditions will work on a private repo (I just tested it), but I think the problem is the "slash" in the org/repo.

If you want to admit all repos in an organization, map on attribute.repository_owner (which will be the org name):

gcloud iam service-accounts add-iam-policy-binding "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project "${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository_owner/${ORG_NAME}"

You also need to make sure that attribute.repository_owner is mapped in your attribute mapping to take advantage of that. Note, it's NOT .../attribute.repository_owner/${ORG_NAME}/*, it's .../attribute.repository_owner/${ORG_NAME}. I was incorrect above.

I just confirmed this setup is working for me, in a private repository, with the repository_owner binding.

This worked for me