英文:
Github action doesn't work with GCP. 403: Permission 'iam.serviceAccounts.getAccessToken' denied
问题
我试图创建一个GithubAction作业,该作业应通过身份联合身份验证在GCP中进行身份验证并将一些文件上传到存储桶。
这里是GitHub操作的完整源代码。
在这个作业中,我有一个步骤不起作用:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: 'projects/736194043976/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'githubsa@learning-words-trial.iam.gserviceaccount.com'
token_format: 'access_token'
不幸的是,它失败了,显示403错误:
错误:google-github-actions/auth 失败,重试函数尝试后失败:无法为 githubsa@learning-words-trial.iam.gserviceaccount.com 生成Google Cloud访问令牌:(403){
"error": {
"code": 403,
"message": "资源(或可能不存在)上的权限 'iam.serviceAccounts.getAccessToken' 被拒绝。",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
我的服务帐号 githubsa@learning-words-trial.iam.gserviceaccount.com 具有足够的权限:
并且主体已设置(我添加了随机角色进行测试):
此外,my-pool 和 my-provider 根据 教程 进行了配置,并与服务帐号连接。
这是来自GCP的审计日志:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "资源上的权限 'iam.serviceAccounts.getAccessToken' 被拒绝(或可能不存在)"
},
"authenticationInfo": {
"serviceAccountDelegationInfo": [
{}
],
"principalSubject": "principal://iam.googleapis.com/projects/736194043976/locations/global/workloadIdentityPools/my-pool/subject/repo:vyshkov/gcp-serverless:ref:refs/heads/main"
},
"requestMetadata": {
"callerIp": "172.176.229.16",
"callerSuppliedUserAgent": "google-github-actions:auth/1.0.0,gzip(gfe)",
"requestAttributes": {
"time": "2023-02-26T15:54:55.543085043Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iamcredentials.googleapis.com",
"methodName": "GenerateAccessToken",
"authorizationInfo": [
{
"permission": "iam.serviceAccounts.getAccessToken",
"resourceAttributes": {}
}
],
"resourceName": "projects/-/serviceAccounts/103065049355271736573",
"request": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
"name": "projects/-/serviceAccounts/githubsa@learning-words-trial.iam.gserviceaccount.com"
},
"metadata": {
"identityDelegationChain": [
"projects/-/serviceAccounts/githubsa@learning-words-trial.iam.gserviceaccount.com"
]
}
},
"insertId": "sbbvpke10rst",
"resource": {
"type": "service_account",
"labels": {
"unique_id": "103065049355271736573",
"email_id": "githubsa@learning-words-trial.iam.gserviceaccount.com",
"project_id": "learning-words-trial"
}
},
"timestamp": "2023-02-26T15:54:55.523760524Z",
"severity": "ERROR",
"logName": "projects/learning-words-trial/logs/cloudaudit.googleapis.com%2Fdata_access",
"operation": {
"id": "14170752551549534963",
"producer": "iamcredentials.googleapis.com",
"first": true,
"last": true
},
"receiveTimestamp": "2023-02-26T15:54:56.249222142Z"
}
请问您能指出我可能犯了什么错误吗?
英文:
I am trying to create a GithubAction job, which should authenticate in GCP via Identity federation and upload some files to a bucket.
Here is the full source code of GitHub action.
In this job I have such a step which doesn't work:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: 'projects/736194043976/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'githubsa@learning-words-trial.iam.gserviceaccount.com'
token_format: 'access_token'
Unfortunately, it fails with 403 error:
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to generate Google Cloud access token for githubsa@learning-words-trial.iam.gserviceaccount.com: (403) {
"error": {
"code": 403,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "iam.serviceAccounts.getAccessToken"
}
}
]
}
}
My service account githubsa@learning-words-trial.iam.gserviceaccount.com has enough permissions:
And the principal is set (i added random roles for testing):
Also, my-pool and my-provider are configured according to the tutorial and connected with the service account.
Here is an audit log from GCP:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist)."
},
"authenticationInfo": {
"serviceAccountDelegationInfo": [
{}
],
"principalSubject": "principal://iam.googleapis.com/projects/736194043976/locations/global/workloadIdentityPools/my-pool/subject/repo:vyshkov/gcp-serverless:ref:refs/heads/main"
},
"requestMetadata": {
"callerIp": "172.176.229.16",
"callerSuppliedUserAgent": "google-github-actions:auth/1.0.0,gzip(gfe)",
"requestAttributes": {
"time": "2023-02-26T15:54:55.543085043Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "iamcredentials.googleapis.com",
"methodName": "GenerateAccessToken",
"authorizationInfo": [
{
"permission": "iam.serviceAccounts.getAccessToken",
"resourceAttributes": {}
}
],
"resourceName": "projects/-/serviceAccounts/103065049355271736573",
"request": {
"@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest",
"name": "projects/-/serviceAccounts/githubsa@learning-words-trial.iam.gserviceaccount.com"
},
"metadata": {
"identityDelegationChain": [
"projects/-/serviceAccounts/githubsa@learning-words-trial.iam.gserviceaccount.com"
]
}
},
"insertId": "sbbvpke10rst",
"resource": {
"type": "service_account",
"labels": {
"unique_id": "103065049355271736573",
"email_id": "githubsa@learning-words-trial.iam.gserviceaccount.com",
"project_id": "learning-words-trial"
}
},
"timestamp": "2023-02-26T15:54:55.523760524Z",
"severity": "ERROR",
"logName": "projects/learning-words-trial/logs/cloudaudit.googleapis.com%2Fdata_access",
"operation": {
"id": "14170752551549534963",
"producer": "iamcredentials.googleapis.com",
"first": true,
"last": true
},
"receiveTimestamp": "2023-02-26T15:54:56.249222142Z"
}
Can you please point me to where I could make a mistake?
答案1
得分: 6
A 403 Permission denied error such as Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist) is due to the principalSet on the service account IAM binding not matching the principalSubject making the call.
It is useful to enable Audit logging for iam.googleapis.com and sts.googleapis.com. Refer to public docs for more details.
The STS token is used to impersonate a service account that the principalSubject has been granted roles/iam.workloadIdentityUser role. Additional details on granting access here.
英文:
A 403 Permission denied error such as Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist) is due to the principalSet on the service account IAM binding not matching the principalSubject making the call.
It is useful to enable Audit logging for iam.googleapis.com and sts.googleapis.com. Refer to public docs for more details.
The STS token is used to impersonate a service account that the principalSubject has been granted roles/iam.workloadIdentityUser role. Additional details on granting access here.
答案2
得分: 3
你应该添加角色iam.serviceAccountTokenCreator,如有必要,也可以添加iam.serviceAccountUser:
gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT@${PROJECT_ID}.iam.gserviceaccount.com" --project="${PROJECT_ID}" --role="roles/iam.serviceAccountTokenCreator" --member=serviceAccount:$SERVICE_ACCOUNT@${PROJECT_ID}.iam.gserviceaccount.com
英文:
you should add the role iam.serviceAccountTokenCreator and if necessary also iam.serviceAccountUser:
gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT@${PROJECT_ID}.iam.gserviceaccount.com" --project="${PROJECT_ID}" --role="roles/iam.serviceAccountTokenCreator" --member=serviceAccount:$SERVICE_ACCOUNT@${PROJECT_ID}.iam.gserviceaccount.com
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论