Google Cloud Service Account Key JSON not working
BenjaOliva opened this issue · comments
TL;DR
When I tried using the JSON Key from GCP from a GitHub secret at my workflow I got this error:
Error: google-github-actions/auth failed with: retry function failed after 4 attempts: the GitHub Action workflow must specify exactly one of "workload_identity_provider" or "credentials_json"! If you are specifying input values via GitHub secrets, ensure the secret is being injected into the environment. By default, secrets are not passed to workflows triggered from forks, including Dependabot.
Expected behavior
Succesful Auth using the JSON at the GitHub Secret
Observed behavior
Job failing on auth process
Action YAML
name: GitHub Actions Next JS Deployment - Staging
on:
push:
branches:
- staging
jobs:
build-and-push-to-gar-service-account:
permissions:
contents: "read"
id-token: "write"
name: Build & push - with service account
env:
PROJECT_ID: <project-id>
REGION: us-central1
REPO_NAME: <repo-name>
BRANCH: staging
runs-on: ubuntu-latest
steps:
- name: Code checkout
uses: actions/checkout@v2
- name: Set up Google Cloud SDK Auth
uses: "google-github-actions/auth@v2"
with:
credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}"
- name: "Set up Cloud SDK CLI"
uses: "google-github-actions/setup-gcloud@v2"
- name: "Check gcloud CLI"
run: "gcloud info"
- name: Build and push to GAR
env:
GOOGLE_PROJECT: ${{ env.PROJECT_ID }}
REPO_NAME: ${{ env.REPO_NAME }}
run: |
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev
docker build -t us-central1-docker.pkg.dev/<project-id>/web-builds/<repo-name>:latest . --no-cache
docker push us-central1-docker.pkg.dev/<project-id>/web-builds/<repo-name>:latest
Log output
Error: google-github-actions/auth failed with: retry function failed after 4 attempts: the GitHub Action workflow must specify exactly one of "workload_identity_provider" or "credentials_json"! If you are specifying input values via GitHub secrets, ensure the secret is being injected into the environment. By default, secrets are not passed to workflows triggered from forks, including Dependabot.
Additional information
I tried with WIF (Workload Identity Federation) and could login. Unfortunately, the docker push fails cause of a denied permissions
error, but tried in my local, same commands and account and could push without issues.
Hi there @BenjaOliva 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Well, just found out that i was not using the new GitHub Enviroment Secrets in the right way 🤦
Basically, I checked at the troubleshooting docs provided and set the debugging logs and noticed that the secret i was using was null
. So I researched and found out that to use a enviroment variable you ahve to set enviroment: <ENV_NAME>
on the job to use the secrets located inside it. Like this:
jobs:
build-and-push-to-gar-service-account:
permissions:
contents: 'read'
id-token: 'write'
name: Build & push - with service account
environment: Staging
env:
PROJECT_ID: <YOUR_PROJECT_ID>
REGION: us-central1
REPO_NAME: <YOUR_REPO_NAME>
EMAIL: ${{ secrets.SA_EMAIL }}
BRANCH: staging
runs-on: ubuntu-latest
steps:
- name: Code checkout
uses: actions/checkout@v4
- name: Set up Google Cloud SDK Auth
uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ env.PROJECT_ID }}
...
That fixed my workflow on first try