From f782e273cef26008fc04149f492da1bed80107d6 Mon Sep 17 00:00:00 2001 From: Broc Seib Date: Mon, 6 Feb 2023 14:31:09 -0500 Subject: [PATCH 1/2] Add another possible auth error cause to the list Ensure that the workflow permissions are set according to the Usage docs. --- docs/TROUBLESHOOTING.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 34d49762..a88d5985 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -35,7 +35,7 @@ further debug: libraries. Please note that we do not have control over actions outside of `google-github-actions`. -If your workflow _fails_ after adding the the step to generate an access token, +If your workflow _fails_ after adding the step to generate an access token, it likely means there is a misconfiguration with Workload Identity. Here are some common sources of errors: @@ -55,6 +55,14 @@ some common sources of errors: **number**. Workload Identity Federation does not accept Google Cloud Project IDs. +1. Ensure that you have the correct workflow permissions, per the [usage](../README.md#usage) docs, i.e. + + ```yaml + permissions: + contents: 'read' + id-token: 'write' + ``` + 1. Ensure you have created an **Attribute Mapping** for any **Attribute Conditions** or **Service Account Impersonation** principals. You cannot create an Attribute Condition unless you map that value from the incoming From 727e31196989b15c8a17e4127ebb696133ec2a85 Mon Sep 17 00:00:00 2001 From: Broc Seib Date: Mon, 6 Feb 2023 14:42:52 -0500 Subject: [PATCH 2/2] Use concrete terms for workflow permissions On day one, the phrase "workflow permissions" is still a bit abstract, whereas seeing the phrase `permissions:` with direct link to the usage docs is very specific about what is being talked about. --- docs/TROUBLESHOOTING.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index a88d5985..d47c069e 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -55,7 +55,8 @@ some common sources of errors: **number**. Workload Identity Federation does not accept Google Cloud Project IDs. -1. Ensure that you have the correct workflow permissions, per the [usage](../README.md#usage) docs, i.e. +1. Ensure that you have the correct `permissions:` for the job in your workflow, per + the [usage](../README.md#usage) docs, i.e. ```yaml permissions: