Get PERMISSION_DENIED from updating API Gateway config
nuxzero opened this issue · comments
Hello,
I am trying to update API Gateway but it doesn't work. When the Update API Gateway config has been run and it got PERMIMSSION_DENIED error.
Not really sure, what is missing in the below actions config?
I used the guide to setup the Workload Identity Federation https://github.com/marketplace/actions/authenticate-to-google-cloud#setting-up-workload-identity-federation.
name: Build and Deploy
on:
push:
branches:
- main
jobs:
deploy-api-gateway:
name: Deploy API Gateway
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout Repo
uses: actions/checkout@master
- name: Set up Cloud Auth
uses: google-github-actions/auth@v1
with:
workload_identity_provider: projects/xxxxx/locations/global/workloadIdentityPools/github/providers/github
service_account: github@xxxxx.iam.gserviceaccount.com
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1
with:
version: ">= 416.0.0"
- name: Update API Gateway config
run: |
gcloud api-gateway gateways update xxxxx \
--api=xxxxx --api-config=xxxxx \
--location=asia-northeast1 --project=xxxxx --verbosity=debugError
"error": {
"code": 403,
"message": "Permission 'apigateway.gateways.get' denied on 'projects/xxxxx/locations/asia-northeast1/gateways/xxxxx'",
"status": "PERMISSION_DENIED"
}
Full logs
2023-08-26T07:03:06.7553135Z ##[group]Run google-github-actions/setup-gcloud@v1
2023-08-26T07:03:06.7553727Z with:
2023-08-26T07:03:06.7554009Z version: >= 416.0.0
2023-08-26T07:03:06.7554291Z skip_install: false
2023-08-26T07:03:06.7554578Z env:
2023-08-26T07:03:06.7555045Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json
2023-08-26T07:03:06.7555735Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json
2023-08-26T07:03:06.7556354Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json
2023-08-26T07:03:06.7556837Z CLOUDSDK_CORE_PROJECT: xxxxx
2023-08-26T07:03:06.7557199Z CLOUDSDK_PROJECT: xxxxx
2023-08-26T07:03:06.7557542Z GCLOUD_PROJECT: xxxxx
2023-08-26T07:03:06.7557875Z GCP_PROJECT: xxxxx
2023-08-26T07:03:06.7558219Z GOOGLE_CLOUD_PROJECT: xxxxx
2023-08-26T07:03:06.7558584Z ##[endgroup]
2023-08-26T07:03:08.3119468Z [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/235ac452-6873-4f08-b38c-caccefb6e67a -f /home/runner/work/_temp/362604c3-b201-4edd-8856-19d61dbcfe3a
2023-08-26T07:03:28.6584238Z Successfully authenticated
2023-08-26T07:03:28.6804135Z ##[group]Run gcloud api-gateway gateways update xxxxx \
2023-08-26T07:03:28.6805115Z �[36;1mgcloud api-gateway gateways update xxxxx \�[0m
2023-08-26T07:03:28.6805660Z �[36;1m--api=xxxxx --api-config=xxxxx \�[0m
2023-08-26T07:03:28.6806254Z �[36;1m--location=asia-northeast1 --project=xxxxx --verbosity=debug�[0m
2023-08-26T07:03:28.6873702Z shell: /usr/bin/bash -e {0}
2023-08-26T07:03:28.6874139Z env:
2023-08-26T07:03:28.6874657Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json
2023-08-26T07:03:28.6875410Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json
2023-08-26T07:03:28.6876214Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json
2023-08-26T07:03:28.6876797Z CLOUDSDK_CORE_PROJECT: xxxxx
2023-08-26T07:03:28.6877394Z CLOUDSDK_PROJECT: xxxxx
2023-08-26T07:03:28.6877868Z GCLOUD_PROJECT: xxxxx
2023-08-26T07:03:28.6878305Z GCP_PROJECT: xxxxx
2023-08-26T07:03:28.6878788Z GOOGLE_CLOUD_PROJECT: xxxxx
2023-08-26T07:03:28.6879294Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2023-08-26T07:03:28.6879849Z CLOUDSDK_METRICS_ENVIRONMENT_VERSION: 1.1.1
2023-08-26T07:03:28.6880278Z ##[endgroup]
2023-08-26T07:03:29.4257617Z DEBUG: Running [gcloud.api-gateway.gateways.update] with arguments: [--api: "xxxxx", --api-config: "xxxxx", --location: "asia-northeast1", --project: "xxxxx", --verbosity: "debug", GATEWAY: "xxxxx"]
2023-08-26T07:03:29.4300709Z INFO: Using alternate credentials from file: [/home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json]
2023-08-26T07:03:29.4382740Z DEBUG: Making request: GET https://pipelines.actions.githubusercontent.com/7lTqtNh2lN5QiHwAFp8Ros4kodGvJsMcNmycefCCqJVtTcH29k/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/5a922f80-1247-496c-9e46-a688775bd123/jobs/09c0ab2d-3345-5115-e48f-6d868bc459de/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2F***
2023-08-26T07:03:29.4421906Z DEBUG: Starting new HTTPS connection (1): pipelines.actions.githubusercontent.com:443
2023-08-26T07:03:29.5633568Z DEBUG: https://pipelines.actions.githubusercontent.com:443 "GET /7lTqtNh2lN5QiHwAFp8Ros4kodGvJsMcNmycefCCqJVtTcH29k/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/5a922f80-1247-496c-9e46-a688775bd123/jobs/09c0ab2d-3345-5115-e48f-6d868bc459de/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2F*** HTTP/1.1" 200 None
2023-08-26T07:03:29.5643930Z DEBUG: Making request: POST https://sts.googleapis.com/v1/token
2023-08-26T07:03:29.5670324Z DEBUG: Starting new HTTPS connection (1): sts.googleapis.com:443
2023-08-26T07:03:29.6986028Z DEBUG: https://sts.googleapis.com:443 "POST /v1/token HTTP/1.1" 200 None
2023-08-26T07:03:29.7001343Z DEBUG: Making request: POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***:generateAccessToken
2023-08-26T07:03:29.7032811Z DEBUG: Starting new HTTPS connection (1): iamcredentials.googleapis.com:443
2023-08-26T07:03:29.8126621Z DEBUG: https://iamcredentials.googleapis.com:443 "POST /v1/projects/-/serviceAccounts/***:generateAccessToken HTTP/1.1" 200 None
2023-08-26T07:03:29.8269939Z INFO: Using alternate credentials from file: [/home/runner/work/xxxxx/xxxxx/gha-creds-c0c4834065a93b18.json]
2023-08-26T07:03:29.8555913Z DEBUG: Starting new HTTPS connection (1): apigateway.googleapis.com:443
2023-08-26T07:03:30.8389214Z DEBUG: https://apigateway.googleapis.com:443 "GET /v1/projects/xxxxx/locations/asia-northeast1/gateways/xxxxx?alt=json HTTP/1.1" 403 None
2023-08-26T07:03:30.8472317Z DEBUG: (gcloud.api-gateway.gateways.update) PERMISSION_DENIED: Permission 'apigateway.gateways.get' denied on 'projects/xxxxx/locations/asia-northeast1/gateways/xxxxx'
2023-08-26T07:03:30.8481372Z Traceback (most recent call last):
2023-08-26T07:03:30.8482008Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/googlecloudsdk/calliope/cli.py", line 987, in Execute
2023-08-26T07:03:30.8482888Z resources = calliope_command.Run(cli=self, args=args)
2023-08-26T07:03:30.8483533Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/googlecloudsdk/calliope/backend.py", line 807, in Run
2023-08-26T07:03:30.8484125Z resources = command_instance.Run(args)
2023-08-26T07:03:30.8484727Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/surface/api_gateway/gateways/update.py", line 57, in Run
2023-08-26T07:03:30.8485396Z gateway, mask = self.ProcessUpdates(gateways_client.Get(gateway_ref), args)
2023-08-26T07:03:30.8486131Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/googlecloudsdk/api_lib/api_gateway/base.py", line 83, in Get
2023-08-26T07:03:30.8486727Z return self.service.Get(req)
2023-08-26T07:03:30.8487385Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/googlecloudsdk/generated_clients/apis/apigateway/v1/apigateway_v1_client.py", line 575, in Get
2023-08-26T07:03:30.8488002Z return self._RunMethod(
2023-08-26T07:03:30.8488620Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/third_party/apitools/base/py/base_api.py", line 737, in _RunMethod
2023-08-26T07:03:30.8489323Z return self.ProcessHttpResponse(method_config, http_response, request)
2023-08-26T07:03:30.8490043Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/third_party/apitools/base/py/base_api.py", line 743, in ProcessHttpResponse
2023-08-26T07:03:30.8490726Z self.__ProcessHttpResponse(method_config, http_response, request))
2023-08-26T07:03:30.8491601Z File "/opt/hostedtoolcache/gcloud/444.0.0/x64/lib/third_party/apitools/base/py/base_api.py", line 609, in __ProcessHttpResponse
2023-08-26T07:03:30.8492234Z raise exceptions.HttpError.FromResponse(
2023-08-26T07:03:30.8494598Z apitools.base.py.exceptions.HttpForbiddenError: HttpError accessing <https://apigateway.googleapis.com/v1/projects/xxxxx/locations/asia-northeast1/gateways/xxxxx?alt=json>: response: <{'vary': 'Origin, X-Origin, Referer', 'content-type': 'application/json; charset=UTF-8', 'content-encoding': 'gzip', 'date': 'Sat, 26 Aug 2023 07:03:30 GMT', 'server': 'ESF', 'cache-control': 'private', 'x-xss-protection': '0', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000', 'transfer-encoding': 'chunked', 'status': 403}>, content <{
2023-08-26T07:03:30.8495973Z "error": {
2023-08-26T07:03:30.8496303Z "code": 403,
2023-08-26T07:03:30.8497104Z "message": "Permission 'apigateway.gateways.get' denied on 'projects/xxxxx/locations/asia-northeast1/gateways/xxxxx'",
2023-08-26T07:03:30.8497708Z "status": "PERMISSION_DENIED"
2023-08-26T07:03:30.8498067Z }
2023-08-26T07:03:30.8498357Z }
2023-08-26T07:03:30.8498840Z >
2023-08-26T07:03:30.8499795Z ERROR: (gcloud.api-gateway.gateways.update) PERMISSION_DENIED: Permission 'apigateway.gateways.get' denied on 'projects/xxxxx/locations/asia-northeast1/gateways/xxxxx'
2023-08-26T07:03:30.9651190Z ##[error]Process completed with exit code 1.
For my case, I missed the API Gateway Admin role in my service account. After adding this role on the console it's working. However, I'm not able to add this role via command line.
gcloud iam service-accounts add-iam-policy-binding "github-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/apigateway.admin" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"Error
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/apigateway.admin is not supported for this resource.