Unexpected number of exchanged STS tokens and generated Access Tokens
dmollin opened this issue · comments
TL;DR
GCP Logging entries for STS and IAM APIs show multiple exchanged/generated tokens for a single auth@v1 action - Is this expected behavior?
Expected behavior
Using the auth@v1 action for the Workload Identity Federation use case. Expecting to see two logging entries for a single invoked action:
- Exchanged STS Token
google.identity.sts.v1.SecurityTokenService.ExchangeToken
- Generated Access Token
google.iam.credentials.v1.GenerateAccessTokenRequest
Observed behavior
Seeing 7 instances of each API call
Action YAML
id: 'auth'
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ env.WORKFLOW_IDENTITY_POOL_PROVIDER }}
service_account: ${{ env.WI_SERVICE_ACCOUNT }}
token_format: 'access_token'Log output
No response
Additional information
No response
Hi there @dmollin 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi there - could you please provide the debug output for the complete GitHub Actions workflow run?
Can you share your complete action.yml? Is this part of a matrix?
Here is the broader action.yaml with some omitted details, it's relatively straightforward:
name: 'bootstrap'
env:
WORKFLOW_IDENTITY_POOL_PROVIDER: <provider>
WI_SERVICE_ACCOUNT: <svc>
permissions:
contents: read
jobs:
bootstrap-tf:
name: 'Bootstrap-tf'
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: read
defaults:
run:
shell: bash
steps:
- name: GH Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_PAT }}
- id: 'auth'
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ env.WORKFLOW_IDENTITY_POOL_PROVIDER }}
service_account: ${{ env.WI_SERVICE_ACCOUNT }}
token_format: 'access_token'
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.1.7
- name: Terraform Init
run: terraform init
working-directory: <dir>
- name: Terraform Plan
run: terraform plan
working-directory: <dir>
Here is the debug logs with the auth step, some details omitted:
##[debug]Evaluating condition for step: 'Authenticate to Google Cloud'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Authenticate to Google Cloud
##[debug]Register post job cleanup for action: google-github-actions/auth@v1
##[debug]Loading inputs
##[debug]Evaluating: env.WORKFLOW_IDENTITY_POOL_PROVIDER
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'WORKFLOW_IDENTITY_POOL_PROVIDER'
##[debug]=> 'projects/<id>(https://github.com/<owner>/<repo>/actions/runs/6968651265/job/18962971170#step:3:2)74962/locations/global/workloadIdentityPools/<pool>/providers/github'
##[debug]Result: 'projects/<id>/locations/global/workloadIdentityPools/<pool>/providers/github'
##[debug]Evaluating: env.WI_SERVICE_ACCOUNT
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'WI_SERVICE_ACCOUNT'
##[debug]=> '<svc>'
##[debug]Result: '<svc>'
##[debug]Loading env
Run google-github-actions/auth@v1
##[debug]Using workload identity provider "projects/<id>/locations/global/workloadIdentityPools/<pool>/providers/github"
##[debug]ID token url is https://pipelinesghubeus8.actions.githubusercontent.com/Dv9Pv9vUvzouKmqjK08eaeg302nowUGTuCfdRtGj0h12LDVoq7/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/ddf7dd5d-a54e-40f5-b2be-819c6ed57842/jobs/a8810379-eb79-57f2-8bc3-bc09a51bb7e2/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%<id>%2Flocations%2Fglobal%2FworkloadIdentityPools%2F<proj>%2Fproviders%2Fgithub
::add-mask::***
##[debug]Creating credentials file
Created credentials file at "/home/runner/work/<repo>/<repo>/gha-creds-441d0aceb06da897.json"
##[debug]Creating access token
::add-mask::***
##[debug]Node Action run completed with exit code 0
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/<repo>/<repo>/gha-creds-441d0aceb06da897.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/<repo>/<repo>/gha-creds-441d0aceb06da897.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/<repo>/<repo>/gha-creds-441d0aceb06da897.json'
##[debug]CLOUDSDK_CORE_PROJECT='<proj>'
##[debug]CLOUDSDK_PROJECT='<proj>'
##[debug]GCLOUD_PROJECT='<proj>'
##[debug]GCP_PROJECT='<proj>'
##[debug]GOOGLE_CLOUD_PROJECT='<proj>'
##[debug]Set output credentials_file_path = /home/runner/work/<repo>/<repo>/gha-creds-441d0aceb06da897.json
##[debug]Set output project_id = <proj>
##[debug]Set output access_token = ***
##[debug]Set output access_token_expiration = 2023-[11](https://github.com/<owner>/<repo>/actions/runs/6968651265/job/18962971170#step:3:11)-23T11:46:[22](https://github.com/<owner>/<repo>/actions/runs/6968651265/job/18962971170#step:3:22)Z
##[debug]Finishing: Authenticate to Google Cloud
Hi @dmollin - can you please share the complete action.yml and debug log? I'm not seeing the same behavior when I run what you've provided here with my own values. If you don't want to post them publicly, please email them to [my github username]@google.com.
Why does this workflow trigger on?
@dmollin and I discussed this over email. The logs indicate the API calls are coming from the go-http-client user-agent, which is not this GitHub Action. Upon further investigation, a later step using Terraform was making the API calls using the ExternalAccount exported by auth (as intended).