-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impersonation issues for Google Workspace #387
Comments
Hi there @tcvall86 👋! Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps. |
Can you try auth@v1.3.0 and report whether that works? We changed the way credentials were generated in 2.0, and I'm wondering if it works in 1.0. |
I used the Following your suggestion, I switched to Can't wait to get it fixed :) |
Hi @damir-dezeljin can you try pinning to |
@sethvargo , may I ask you to point me to the |
I can also confirm
|
Hi @damir-dezeljin - it's linked right above in the GitHub UI (#388). Hi @tcvall86 - can you provide the debug logs? |
I have attached the debug logs here This part looks a bit weird (Promise ])
|
Hi @tcvall86 - Did you sanitize the logs? I'm seeing the project ID as "project-id", the pool as "my-pool", and the provider as "my-provider". WIF requires project number, not project id, but none of those values seem correct.
I see that we successfully get a federated token and an access token, so I think you scrubbed the logs. Nonetheless, I was able to see what's going on. Can you please try again with |
Yes I did sanitize the logs
|
Can you send the full debug logs again please with the latest version of |
Hello @sethvargo here are the new logs, I have sanitized some of the outputs like project id, pool, provider, my admin, repo etc |
Hi @tcvall86 - sorry, but those look like older logs. Can you try again with a new commit? Sometimes GitHub caches the resolved hash if you just click "re-run". There should be new log output that will help debug this. |
Hi @sethvargo Ok so the action does not fail now since your last commit but now I get
Might be ok though? |
I can try it later tomorrow if you want, if the warning is expected I mean |
Hi @tcvall86 - yea, that seems unexpected, so I'd like to see the full request and response from the debug logs if possible. |
Hello @sethvargo, Here are the sanitized logs with the most recent run |
Hi @tcvall86 - okay it looks like I was expected the wrong response param ( |
Hello @sethvargo, Sorry for the late reply here. |
Thanks - released v2.1.1 |
TL;DR
When trying to add access_token_subject I receive a 401 response for the auth action
google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using my-service-account@my-project.iam.gserviceaccount.com:
If I run this without subject like
The flow passes normally. However since I need to do impersonation I would need to add
access_token_subject: my-admin-user@domain.td
Which is when the error happens.
I tried to look into previous impersonation issues like
#234
#174
#63
But regardless I can't quite get it to work
I have set up the domain wide permissions inside of google workspace for the service account appid
I am not to used to GCP so it could be something obvious I am missing here. I am thankful for any suggestions!
Regards,
Thomas
Expected behavior
I am expecting impersonation to work so we can use this to access Google workspaces in our actions
Observed behavior
Call fails with
Action YAML
Log output
Additional information
No response
The text was updated successfully, but these errors were encountered: