Impersonation issues for Google Workspace
tcvall86 opened this issue · comments
TL;DR
When trying to add access_token_subject I receive a 401 response for the auth action
google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using my-service-account@my-project.iam.gserviceaccount.com:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"service": "iamcredentials.googleapis.com",
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
}
}
]
}
}If I run this without subject like
- name: Get Google access token
uses: 'google-github-actions/auth@v2.1.0'
id: google_access_token
with:
project_id: my-project
workload_identity_provider: workload_idp_string
service_account: my-service-account@my_project.iam.gserviceaccount.com
export_environment_variables: true
token_format: "access_token"
access_token_lifetime: 1800s
access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonlyThe flow passes normally. However since I need to do impersonation I would need to add
access_token_subject: my-admin-user@domain.td
Which is when the error happens.
I tried to look into previous impersonation issues like
But regardless I can't quite get it to work
I have set up the domain wide permissions inside of google workspace for the service account appid
I am not to used to GCP so it could be something obvious I am missing here. I am thankful for any suggestions!
Regards,
Thomas
Expected behavior
I am expecting impersonation to work so we can use this to access Google workspaces in our actions
Observed behavior
Call fails with
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"service": "iamcredentials.googleapis.com",
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
}
}
]
}
}Action YAML
name: Test Google impersonation in seperate flow
run-name: "Access google from ${{ github.repository }}"
on:
pull_request:
branches:
- master
- main
types:
- opened
- edited
- synchronize
- reopened
workflow_dispatch:
jobs:
google_workspace_test:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: read
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Get Google access token
uses: 'google-github-actions/auth@v2.1.0'
id: google_access_token
with:
project_id: my-project
workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-poolname/providers/my-provider
service_account: my-service-account@my-project.iam.gserviceaccount.com
export_environment_variables: true
token_format: "access_token"
access_token_lifetime: 1800s
access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
access_token_subject: my-admin@domain.tlLog output
2024-01-31T13:26:51.8162091Z Requested labels: ubuntu-latest
2024-01-31T13:26:51.8162363Z Job defined at: org/repo/.github/workflows/test-access.yml@refs/pull/68/merge
2024-01-31T13:26:51.8162443Z Waiting for a runner to pick up this job...
2024-01-31T13:26:53.5052740Z Job is waiting for a hosted runner to come online.
2024-01-31T13:26:55.1607573Z Job is about to start running on the hosted runner: GitHub Actions 39 (hosted)
2024-01-31T13:26:58.0328507Z Current runner version: '2.312.0'
2024-01-31T13:26:58.0360073Z ##[group]Operating System
2024-01-31T13:26:58.0360862Z Ubuntu
2024-01-31T13:26:58.0361313Z 22.04.3
2024-01-31T13:26:58.0361909Z LTS
2024-01-31T13:26:58.0362309Z ##[endgroup]
2024-01-31T13:26:58.0362812Z ##[group]Runner Image
2024-01-31T13:26:58.0363503Z Image: ubuntu-22.04
2024-01-31T13:26:58.0363998Z Version: 20240126.1.0
2024-01-31T13:26:58.0365307Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240126.1/images/ubuntu/Ubuntu2204-Readme.md
2024-01-31T13:26:58.0367277Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240126.1
2024-01-31T13:26:58.0368368Z ##[endgroup]
2024-01-31T13:26:58.0368919Z ##[group]Runner Image Provisioner
2024-01-31T13:26:58.0369619Z 2.0.341.1
2024-01-31T13:26:58.0370031Z ##[endgroup]
2024-01-31T13:26:58.0371423Z ##[group]GITHUB_TOKEN Permissions
2024-01-31T13:26:58.0373597Z Contents: read
2024-01-31T13:26:58.0374160Z Metadata: read
2024-01-31T13:26:58.0375062Z PullRequests: read
2024-01-31T13:26:58.0375703Z ##[endgroup]
2024-01-31T13:26:58.0378460Z Secret source: Actions
2024-01-31T13:26:58.0379202Z Prepare workflow directory
2024-01-31T13:26:58.1147132Z Prepare all required actions
2024-01-31T13:26:58.1343158Z Getting action download info
2024-01-31T13:26:58.4649985Z Download action repository 'actions/checkout@v4' (SHA:b4ffde65f46336ab88eb53be808477a3936bae11)
2024-01-31T13:26:58.6146039Z Download action repository 'google-github-actions/auth@v2.1.0' (SHA:5a50e581162a13f4baa8916d01180d2acbc04363)
2024-01-31T13:26:58.9851765Z Complete job name: google_workspace_test
2024-01-31T13:26:59.0877631Z ##[group]Run actions/checkout@v4
2024-01-31T13:26:59.0878253Z with:
2024-01-31T13:26:59.0878683Z repository: org/repo
2024-01-31T13:26:59.0879590Z token: ***
2024-01-31T13:26:59.0879994Z ssh-strict: true
2024-01-31T13:26:59.0880429Z persist-credentials: true
2024-01-31T13:26:59.0880930Z clean: true
2024-01-31T13:26:59.0881367Z sparse-checkout-cone-mode: true
2024-01-31T13:26:59.0881940Z fetch-depth: 1
2024-01-31T13:26:59.0882344Z fetch-tags: false
2024-01-31T13:26:59.0882785Z show-progress: true
2024-01-31T13:26:59.0883203Z lfs: false
2024-01-31T13:26:59.0883579Z submodules: false
2024-01-31T13:26:59.0884024Z set-safe-directory: true
2024-01-31T13:26:59.0884490Z ##[endgroup]
2024-01-31T13:26:59.3696847Z Syncing repository: org/repo
2024-01-31T13:26:59.3699252Z ##[group]Getting Git version info
2024-01-31T13:26:59.3700431Z Working directory is '/home/runner/work/repo/repo'
2024-01-31T13:26:59.3701937Z [command]/usr/bin/git version
2024-01-31T13:26:59.3844068Z git version 2.43.0
2024-01-31T13:26:59.3879355Z ##[endgroup]
2024-01-31T13:26:59.3916030Z Temporarily overriding HOME='/home/runner/work/_temp/8382423c-b1ac-434a-b4e5-9c4a9d9d0864' before making global git config changes
2024-01-31T13:26:59.3917954Z Adding repository directory to the temporary git global config as a safe directory
2024-01-31T13:26:59.3919832Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/repo/repo
2024-01-31T13:26:59.3960242Z Deleting the contents of '/home/runner/work/repo/repo'
2024-01-31T13:26:59.3983942Z ##[group]Initializing the repository
2024-01-31T13:26:59.3985319Z [command]/usr/bin/git init /home/runner/work/repo/repo
2024-01-31T13:26:59.4067177Z hint: Using 'master' as the name for the initial branch. This default branch name
2024-01-31T13:26:59.4072040Z hint: is subject to change. To configure the initial branch name to use in all
2024-01-31T13:26:59.4076086Z hint: of your new repositories, which will suppress this warning, call:
2024-01-31T13:26:59.4079279Z hint:
2024-01-31T13:26:59.4082148Z hint: git config --global init.defaultBranch <name>
2024-01-31T13:26:59.4084945Z hint:
2024-01-31T13:26:59.4087731Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2024-01-31T13:26:59.4091168Z hint: 'development'. The just-created branch can be renamed via this command:
2024-01-31T13:26:59.4095395Z hint:
2024-01-31T13:26:59.4098113Z hint: git branch -m <name>
2024-01-31T13:26:59.4116963Z Initialized empty Git repository in /home/runner/work/repo/repo/.git/
2024-01-31T13:26:59.4135902Z [command]/usr/bin/git remote add origin https://github.com/org/repo
2024-01-31T13:26:59.4170797Z ##[endgroup]
2024-01-31T13:26:59.4172027Z ##[group]Disabling automatic garbage collection
2024-01-31T13:26:59.4178676Z [command]/usr/bin/git config --local gc.auto 0
2024-01-31T13:26:59.4213997Z ##[endgroup]
2024-01-31T13:26:59.4216207Z ##[group]Setting up auth
2024-01-31T13:26:59.4226372Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-01-31T13:26:59.4265889Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-01-31T13:26:59.4655060Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-01-31T13:26:59.4687634Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-01-31T13:26:59.4948980Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2024-01-31T13:26:59.5004069Z ##[endgroup]
2024-01-31T13:26:59.5006717Z ##[group]Fetching the repository
2024-01-31T13:26:59.5021393Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +e6e10b73c499ed8fa08b476e855a2a265fd80227:refs/remotes/pull/68/merge
2024-01-31T13:26:59.8307456Z From https://github.com/org/repo
2024-01-31T13:26:59.8313545Z * [new ref] e6e10b73c499ed8fa08b476e855a2a265fd80227 -> pull/68/merge
2024-01-31T13:26:59.8339535Z ##[endgroup]
2024-01-31T13:26:59.8340537Z ##[group]Determining the checkout info
2024-01-31T13:26:59.8341846Z ##[endgroup]
2024-01-31T13:26:59.8342719Z ##[group]Checking out the ref
2024-01-31T13:26:59.8345425Z [command]/usr/bin/git checkout --progress --force refs/remotes/pull/68/merge
2024-01-31T13:26:59.8453712Z Note: switching to 'refs/remotes/pull/68/merge'.
2024-01-31T13:26:59.8455100Z
2024-01-31T13:26:59.8455778Z You are in 'detached HEAD' state. You can look around, make experimental
2024-01-31T13:26:59.8457656Z changes and commit them, and you can discard any commits you make in this
2024-01-31T13:26:59.8458918Z state without impacting any branches by switching back to a branch.
2024-01-31T13:26:59.8459672Z
2024-01-31T13:26:59.8460238Z If you want to create a new branch to retain commits you create, you may
2024-01-31T13:26:59.8461479Z do so (now or later) by using -c with the switch command. Example:
2024-01-31T13:26:59.8462208Z
2024-01-31T13:26:59.8462549Z git switch -c <new-branch-name>
2024-01-31T13:26:59.8462961Z
2024-01-31T13:26:59.8463260Z Or undo this operation with:
2024-01-31T13:26:59.8463690Z
2024-01-31T13:26:59.8463959Z git switch -
2024-01-31T13:26:59.8464190Z
2024-01-31T13:26:59.8464788Z Turn off this advice by setting config variable advice.detachedHead to false
2024-01-31T13:26:59.8465630Z
2024-01-31T13:26:59.8466629Z HEAD is now at e6e10b7 Merge aa7295f57fb0e819e8495e3b4cd86f79330add48 into 0154afaed0d9ba9573bc5a6f92d651b80c4086b5
2024-01-31T13:26:59.8479640Z ##[endgroup]
2024-01-31T13:26:59.8513518Z [command]/usr/bin/git log -1 --format='%H'
2024-01-31T13:26:59.8540702Z 'e6e10b73c499ed8fa08b476e855a2a265fd80227'
2024-01-31T13:26:59.9085486Z ##[group]Run google-github-actions/auth@v2.1.0
2024-01-31T13:26:59.9086279Z with:
2024-01-31T13:26:59.9086849Z project_id: my-project
2024-01-31T13:26:59.9088421Z workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-poolname/providers/my-provider
2024-01-31T13:26:59.9090475Z service_account: my-service-account@my-project.iam.gserviceaccount.com
2024-01-31T13:26:59.9091782Z export_environment_variables: true
2024-01-31T13:26:59.9092495Z token_format: access_token
2024-01-31T13:26:59.9093104Z access_token_lifetime: 1800s
2024-01-31T13:26:59.9094180Z access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
2024-01-31T13:26:59.9095333Z access_token_subject: my-admin@domain.tl
2024-01-31T13:26:59.9096124Z create_credentials_file: true
2024-01-31T13:26:59.9096820Z universe: googleapis.com
2024-01-31T13:26:59.9097382Z cleanup_credentials: true
2024-01-31T13:26:59.9098096Z retries: 3
2024-01-31T13:26:59.9098647Z backoff: 250
2024-01-31T13:26:59.9099103Z id_token_include_email: false
2024-01-31T13:26:59.9099706Z ##[endgroup]
2024-01-31T13:27:00.1728663Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-fa93714574e118a9.json"
2024-01-31T13:27:00.5957873Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-b12f97ebaaf28536.json"
2024-01-31T13:27:00.9863978Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-d1f1d356de50805e.json"
2024-01-31T13:27:01.6186372Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-a40fad1e66bc7e28.json"
2024-01-31T13:27:01.7222266Z ##[error]google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using my-service-account@my-project.iam.gserviceaccount.com: {
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"service": "iamcredentials.googleapis.com",
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt"
}
}
]
}
}
2024-01-31T13:27:01.7641210Z Post job cleanup.
2024-01-31T13:27:01.8675924Z Removed exported credentials at "/home/runner/work/repo/repo/gha-creds-a40fad1e66bc7e28.json".
2024-01-31T13:27:01.8859889Z Post job cleanup.
2024-01-31T13:27:01.9808231Z [command]/usr/bin/git version
2024-01-31T13:27:01.9911155Z git version 2.43.0
2024-01-31T13:27:02.0078883Z Temporarily overriding HOME='/home/runner/work/_temp/5a64591e-cac1-4cdf-b9e1-fc3fb44e4ac9' before making global git config changes
2024-01-31T13:27:02.0080665Z Adding repository directory to the temporary git global config as a safe directory
2024-01-31T13:27:02.0084921Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/repo/repo
2024-01-31T13:27:02.0192546Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-01-31T13:27:02.0228504Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-01-31T13:27:02.0507626Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-01-31T13:27:02.0537815Z http.https://github.com/.extraheader
2024-01-31T13:27:02.0551444Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2024-01-31T13:27:02.0587561Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-01-31T13:27:02.1232796Z Cleaning up orphan processes
Additional information
No response
Hi there @tcvall86 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Can you try auth@v1.3.0 and report whether that works? We changed the way credentials were generated in 2.0, and I'm wondering if it works in 1.0.
I used the auth@v1, which was working until recently, but I found yesterday it broke. So, today I spent a day trying to figure out what's wrong, I also switched to auth@v2 and before that set up Node 20 with actions/setup-node@v4, but I couldn't get it working.
Ultimately I found out the token_format: access_token breaks the auth action.
Following your suggestion, I switched to auth@v1.3.0 and I can confirm that it works. So, as you guessed, probably the changes you introduced broke both v1 and v2.
Can't wait to get it fixed :)
Hi @damir-dezeljin can you try pinning to auth@sethvargo/dwd and see if that works for you? If not, please provide debug logs.
@sethvargo , may I ask you to point me to the auth@sethvargo/dwd sources, or even better, the code changes compared to the original auth action code. Just wanted to check what I'm going to execute before trying it out.
I can also confirm @v1.3.0 works
I tried auth@sethvargo/dwd but that produces the same error as @v2 versions
2024-02-01T06:59:52.1177603Z '65de5f9647a11ab92aa9128d0f0300d4951fb5ab'
2024-02-01T06:59:52.1546409Z ##[group]Run google-github-actions/auth@sethvargo/dwd
2024-02-01T06:59:52.1547037Z with:
2024-02-01T06:59:52.1547349Z project_id: my-project
2024-02-01T06:59:52.1548730Z workload_identity_provider: projects/project-id/locations/global/workloadIdentityPools/my-pool/providers/my-provider
2024-02-01T06:59:52.1550515Z service_account: sa@my-project.iam.gserviceaccount.com
2024-02-01T06:59:52.1551289Z export_environment_variables: true
2024-02-01T06:59:52.1551768Z token_format: access_token
2024-02-01T06:59:52.1552178Z access_token_lifetime: 1800s
2024-02-01T06:59:52.1552932Z access_token_scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
2024-02-01T06:59:52.1553822Z access_token_subject: tmy-admin@domain.td
2024-02-01T06:59:52.1554373Z create_credentials_file: true
2024-02-01T06:59:52.1554825Z universe: googleapis.com
2024-02-01T06:59:52.1555239Z cleanup_credentials: true
2024-02-01T06:59:52.1555676Z retries: 3
2024-02-01T06:59:52.1555983Z backoff: 250
2024-02-01T06:59:52.1556325Z id_token_include_email: false
2024-02-01T06:59:52.1556740Z ##[endgroup]
2024-02-01T06:59:52.8449285Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-ee397a4481665e3a.json"
2024-02-01T06:59:53.1381954Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-e6757e024686651a.json"
2024-02-01T06:59:53.7739223Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-5622be51b533b96a.json"
2024-02-01T06:59:54.5741153Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-9646df0bd1b5144b.json"
2024-02-01T06:59:54.8599614Z ##[error]google-github-actions/auth failed with: retry function failed after 4 attempts: failed to sign JWT using sa@my-project.iam.gserviceaccount.com: {
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
"metadata": {
"method": "google.iam.credentials.v1.IAMCredentials.SignJwt",
"service": "iamcredentials.googleapis.com"
}
}
]
}
}
Hi @damir-dezeljin - it's linked right above in the GitHub UI (#388).
Hi @tcvall86 - can you provide the debug logs?
I have attached the debug logs here
debug.log
This part looks a bit weird (Promise ])
##[debug]WorkloadIdentityFederationClient.signJWT: Built request, {
##[debug] "method": "POST",
##[debug] "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/sa@my-project.iam.gserviceaccount.com:signJwt",
##[debug] "headers": {
##[debug] "Authorization": "*** Promise]"
##[debug] },
Hi @tcvall86 - Did you sanitize the logs? I'm seeing the project ID as "project-id", the pool as "my-pool", and the provider as "my-provider". WIF requires project number, not project id, but none of those values seem correct.
WorkloadIdentityFederationClient: Computed audience, //iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/my-pool/providers/my-provider
I see that we successfully get a federated token and an access token, so I think you scrubbed the logs. Nonetheless, I was able to see what's going on. Can you please try again with auth@sethvargo/dwd? I needed to use the generated access token to build the DWD token, instead of the federated token.
Yes I did sanitize the logs
It seems like the same issue still gets the same error and I get this in the debug output (unsanitized except for my admin user)
It seems that somewhere for some reason the Promise] is not removed when constructing the signJwt request
##[debug]WorkloadIdentityFederationClient.signJWT: Built request, {
##[debug] "method": "POST",
##[debug] "path": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/eed-infra-github-oidc@eed-infra.iam.gserviceaccount.com:signJwt",
##[debug] "headers": {
##[debug] "Authorization": "*** Promise]"
##[debug] },
##[debug] "body": {
##[debug] "payload": "{\"iss\":\"eed-infra-github-oidc@eed-infra.iam.gserviceaccount.com\",\"aud\":\"[https://oauth2.googleapis.com/token\](https://oauth2.googleapis.com/token/)",\"iat\":1706891943,\"exp\":1706893743,\"sub\":\"my-admin@mydomain.com\",\"scope\":\"[https://www.googleapis.com/auth/admin.directory.user.readonly\](https://www.googleapis.com/auth/admin.directory.user.readonly/)"}"
##[debug] }
Can you send the full debug logs again please with the latest version of auth@sethvargo/dwd please?
Hello @sethvargo
here are the new logs,
I have sanitized some of the outputs like project id, pool, provider, my admin, repo etc
Hi @tcvall86 - sorry, but those look like older logs. Can you try again with a new commit? Sometimes GitHub caches the resolved hash if you just click "re-run". There should be new log output that will help debug this.
Hi @sethvargo
Ok so the action does not fail now since your last commit but now I get
##[debug]IAMCredentialsClient.generateDomainWideDelegationAccessToken: Built request, {
##[debug] "method": "POST",
##[debug] "path": "https://oauth2.googleapis.com/token",
##[debug] "headers": {
##[debug] "Accept": "application/json",
##[debug] "Content-Type": "application/x-www-form-urlencoded"
##[debug] },
##[debug] "body": {}
##[debug]}
Warning: Can't add secret mask for empty string in ##[add-mask] command.
Might be ok though?
I can try it later tomorrow if you want, if the warning is expected I mean
Hi @tcvall86 - yea, that seems unexpected, so I'd like to see the full request and response from the debug logs if possible.
Hello @sethvargo,
Here are the sanitized logs with the most recent run
debug.log
Hi @tcvall86 - okay it looks like I was expected the wrong response param (accessToken vs access_token). I just pushed up another change - can you try again please?
Hello @sethvargo,
Sorry for the late reply here.
Yes it seems the latest version did the trick! No errors. I can also confirm subsequent DWD actions work with the access tokens!
Thanks - released v2.1.1