google-github-actions/auth@v1 works but v2 doesn't
josekasna opened this issue · comments
TL;DR
google-github-actions/auth@v1 works but v2 fails with:
"{"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
Expected behavior
Run google-github-actions/auth@v2
Created credentials file at "/home/runner/work/blah/blah/gha-creds-74181985507fbc95.json"
Observed behavior
Error: google-github-actions/auth failed with: retry function failed after 4 attempts: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/388216187562/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
Action YAML
name: Backup snapshot
on:
schedule:
# Every day at 4:20 AM AEST
- cron: "20 18 * * *"
push:
branches:
- development
- main
paths:
- .github/workflows/backup-snapshot.yml
jobs:
backup:
runs-on: ubuntu-latest
strategy:
matrix:
project:
- projectd
- projectc
- projectb
#- projecta
#- projectc-v2
- projectb-v2
exclude:
# Exclude backing up staging and dev projects when running on Org1
# organization. This will work because the excluded project will evaluate
# to empty string branch expression evaluates to `false`
- project: ${{ github.repository_owner == 'Org1' && 'projectc' || '' }}
- project: ${{ github.repository_owner == 'Org1' && 'projectb' || '' }}
# Exclude backing up production project when running on Org1
# organization. This will work because the excluded project will evaluate
# to empty string branch expression evaluates to `false`
- project: ${{ github.repository_owner == 'OrgA' && 'projectd' || '' }}
permissions:
contents: 'read'
id-token: 'write'
steps:
# Need to check out code to get firebase config
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
cache: 'yarn'
cache-dependency-path: |
functions/yarn.lock
functions-ts/yarn.lock
web-app/yarn.lock
# yarn global add firebase-tools@latest
# Changing to last version that worked
- name: Install global NPM tools
run: |
yarn global add firebase-tools@12.9.1
firebase --version
###############
## START: PROJECT SPECIFICS
- if: matrix.project == 'projecta'
run: |
echo "BACKUP_SERVICE_ACCOUNT=backups@projecta.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-ejuyf@projecta.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-ejuyf@projecta.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/674656007155/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
- if: matrix.project == 'projectd'
run: |
echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_DEFIPLATFORM }}" >> $GITHUB_ENV
echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_DEFIPLATFORM }}" >> $GITHUB_ENV
echo "BACKUP_SERVICE_ACCOUNT=backups@projectd.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-tools@projectd.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-g54tc@projectd.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/857213089688/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
- if: matrix.project == 'projectc-v2'
run: |
echo "BACKUP_SERVICE_ACCOUNT=backups@projectc-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-71xxo@projectc-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-71xxo@projectc-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/398450691122/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
- if: matrix.project == 'projectc'
run: |
echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_projectc }}" >> $GITHUB_ENV
echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_projectc }}" >> $GITHUB_ENV
echo "BACKUP_SERVICE_ACCOUNT=backup@projectc.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-tools-787@projectc.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-boji7@projectc.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/320854465469/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
- if: matrix.project == 'defiplatformsandbox'
run: |
echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_projectc }}" >> $GITHUB_ENV
echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_projectc }}" >> $GITHUB_ENV
echo "BACKUP_SERVICE_ACCOUNT=backups@defiplatformsandbox.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-2sa3v@defiplatformsandbox.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-2sa3v@defiplatformsandbox.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/282426236812/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
- if: matrix.project == 'projectb'
run: |
echo "SA_FIREBASE=${{ secrets.FIREBASE_SA_projectb }}" >> $GITHUB_ENV
echo "SA_GCP_BACKUP=${{ secrets.BACKUP_SA_projectb }}" >> $GITHUB_ENV
echo "BACKUP_SERVICE_ACCOUNT=backups@projectb.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-aww8h@projectb.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-aww8h@projectb.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/140165331335/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
- if: matrix.project == 'projectb-v2'
run: |
echo "BACKUP_SERVICE_ACCOUNT=backups@projectb-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_SERVICE_ACCOUNT=firebase-adminsdk-e0dxp@projectb-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "FIREBASE_ADMIN_SERVICE_ACCOUNT=firebase-adminsdk-e0dxp@projectb-v2.iam.gserviceaccount.com" >> $GITHUB_ENV
echo "WORKLOAD_IDENTITY_PROVIDER=projects/388216187562/locations/global/workloadIdentityPools/identity-pool/providers/identity-pool-gh-provider" >> $GITHUB_ENV
## END: PROJECT SPECIFICS
#########################
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
create_credentials_file: 'true'
workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.FIREBASE_SERVICE_ACCOUNT }}
project_id: ${{ matrix.project }}
- name: Set up gcloud Cloud SDK environment
uses: google-github-actions/setup-gcloud@v2
with:
version: '>= 363.0.0'
project_id: ${{ matrix.project }}
#service_account_key: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
- name: Show configuration
run: gcloud config list
# The variable `SA_FIREBASE` must be a base64 encoded string
# of the service account JSON to avoid problems with quote escaping and
# conversion of '\n' characters generating invalid JSON
#- name: Set service account for Firebase CLI
# run: |
# echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/service_account.json" >> $GITHUB_ENV
# echo ${{ env.SA_FIREBASE }} | base64 -d - > service_account.json
##########################################################################
## BACKUP FIRESTORE
# Turns out that rm -rf fails with error if there are no files
# Which is inconvenient since sometimes if a job fails, we end up
# in states where we can't re-run a job if it has previously failed.
- name: Add dummy file to bucket so that rm -rf doesn't fail
run: |
touch dummy.txt
gsutil -m cp dummy.txt gs://${{ matrix.project }}-backups/firestore/__snapshot__/
- name: Remove previous snapshot backup
run: gsutil -m rm -rfa gs://${{ matrix.project }}-backups/firestore/__snapshot__
- name: Export Firestore to Cloud Storage bucket
run: gcloud firestore export gs://${{ matrix.project }}-backups/firestore/__snapshot__ --async
##########################################################################
## BACKUP AUTH
- run: firebase --debug use ${{ matrix.project }}
- run: firebase auth:export __snapshot__.json
# - id: authBkp
# name: Authenticate to Google Cloud with Backup SA
# uses: google-github-actions/auth@v1
# with:
# create_credentials_file: 'true'
# workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
# service_account: ${{ env.BACKUP_SERVICE_ACCOUNT }}
# project_id: ${{ matrix.project }}
- name: Upload to Cloud Storage Bucket
run: gsutil -m cp __snapshot__.json gs://${{ matrix.project }}-backups/auth/__snapshot__.json
##########################################################################
## BACKUP RTDB
- name: Download RTDB data
run: firebase database:get --output __snapshot__.json /
# Make sure your backup bucket is named: {project-id}-backups
- name: Upload to Cloud Storage Bucket
run: gsutil -m cp __snapshot__.json gs://${{ matrix.project }}-backups/rtdb/__snapshot__.json
##########################################################################
## BACKUP STORAGE
##
## Make sure to adjust this step if you are having more than just the
## default bucket named: {project-id}.appspot.com
# Using rsync for delta updates of the backup
# https://cloud.google.com/storage/docs/gsutil/commands/rsync
- name: Sync storage bucket with backup
run: >-
gsutil -m
rsync -r -d
gs://${{ matrix.project }}.appspot.com
gs://${{ matrix.project }}-backups/storage/__snapshot__/${{ matrix.bucket }}/Log output
Error: google-github-actions/auth failed with: retry function failed after 4 attempts: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/388216087510/locations/global/workloadIdentityPools/fame-identity-pool/providers/-fame-identity-pool-gh-provider: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
##[debug]Node Action run completed with exit code 1
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json'
##[debug]CLOUDSDK_CORE_PROJECT='projectb-v2'
##[debug]CLOUDSDK_PROJECT='projectb-v2'
##[debug]GCLOUD_PROJECT='projectb-v2'
##[debug]GCP_PROJECT='projectb-v2'
##[debug]GOOGLE_CLOUD_PROJECT='projectb-v2'
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-f37995ac5c58bf86.json
##[debug]Set output project_id = projectb-v2
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-f5b2a5c1f9bfc5cb.json
##[debug]Set output project_id = projectb-v2
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-13498d2b2d423d8d.json
##[debug]Set output project_id = projectb-v2
##[debug]Set output credentials_file_path = /home/runner/work/blah/blah/gha-creds-bb0f4bff66427dae.json
##[debug]Set output project_id = projectb-v2
##[debug]Finishing: Authenticate to Google Cloud
Additional information
Can share the full debug logs on a safely manner (e-mail?)
I've anonymised some details in the YAML file, but the original structure is the same. Ok to share it over a safer place too.
I can also share the working v1 logs.
Cheers.
Hi there @josekasna 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @josekasna - you can find instructions for sharing the complete logs and YAML files in the TROUBLESHOOTING guide. Do you have a smaller/shorter action.yml that reproduces the issue?
Hi @sethvargo , thanks for the quick response. The full YAML is already here, just a bit anonymised. I did just sent the original one + logs to the referred e-mail.
Let me know if that's enough or if you want me to create a new one that's shorter, I can test it out as well.
Cheers!
While reviewing it here, but I don't know the internals of the auth action:
noticed we are using actions/checkout@v3 while the docs mention Run actions/checkout@v4 ?
Could that be a problem ?
Thanks!
I think this may less to do with the action, but more to do with the Workload Identity Federation config side of things.
I noticed a change, where, you could "Grant access" => "CONNECTED SERVICE ACCOUNTS" and would select "all users from the pool" and now, it seems, svc account needs filter at their level and I may be missing a mandatory attribute in that ?
Will copy from the provider's config and try again.
This "Entire Pool" used to be there, but it's not anymore (this is from a previous environment where the setup was done).
I'll close this for now until I can make sure the environments configs between the working and not working actions are the same.
Sorry for the confusion.