Error in parsing JSON credentials file
rojo1997 opened this issue · comments
TL;DR
Error in parsing JSON credentials file. The yaml workflow file and the credential have not been modified. It is failing since today June 22nd. Yesterday it was working properly.
Expected behavior
Correct credentials setup
Observed behavior
It is repeatedly trying to parse a JSON credential file that works locally.
Action YAML
- name: Authenticate to Google Cloud
id: "auth"
uses: google-github-actions/auth@v1
with:
credentials_json: "${{ env.GCP_KEY_JSON }}"Log output
Error: google-github-actions/auth failed with: retry function failed after 4 attempts: failed to parse service account key JSON credentials: unexpected token \ in JSON at position 1
Additional information
We are using the variable from env since we loaded it with Vault. We have verified that the content of the variable is correct (name of the file with the credentials).
Hi there @rojo1997 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
"unexpected token \ in JSON at position 1" indicates the input is malformed. What is the value of env.GCP_KEY_JSON?
The GCP JSON credential in one line
Is there a "" character in the string? We just parse the value as JSON that comes directly from GitHub after trimming any whitespace and optionally base64-decoding the input.
Usually in these situations, the input is invalid. I noticed you said:
We are using the variable from env since we loaded it with Vault. We have verified that the content of the variable is correct (name of the file with the credentials).
This input is the raw JSON, not a file path. Your original issue says that it's a file path (which is incorrect), but then your most recent comment says:
The GCP JSON credential in one line
The input must be the raw JSON or base64-encoded raw JSON for the service account key json of the format:
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}Thanks for your support it is fixed. Vault secret string included these symbols: {"type":"service_account","project_id":"
You need to modify the string using this command:
echo GCP_KEY_JSON=${GCP_KEY_JSON} | sed 's/\\\"/"/g' >> $GITHUB_ENV
Hi Seth Vargo,
I am getting same error and I started getting same error around 6/21 or 6/22. I have confirmed that my json key is similar to the one above. I have tried both multiline and single ling option and I am getting same error.
google-github-actions/auth failed with: retry function failed after 4 attempts: failed to parse service account key JSON credentials: unexpected token \ in JSON at position 1
I have tried above sed command that rojo has posted and it is not working for me.
I will appreciate also if you can shed some light to explain why this flow was working and then all of a sudden started failing. I feel that this is result of some change somewhere?
Below is my test github flow.
name: Test Flow
on:
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
test:
name: Vault connect test
runs-on: docker-new
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
method: jwt
url: https://domainname:8200
namespace: XX001
role: XXXXX
exportToken: true
secrets: |
path gke_sa_key | GKE_KEY
- id: auth
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: ${{ steps.secrets.outputs.GKE_KEY }}
Duplicate of hashicorp/vault-action#469