auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon google-github-actions

Cannot find request_reason in Cloud Audit Logs

Open threat-punter opened this issue 1 year ago • 7 comments

TL;DR

I configured this GitHub Action with a request_reason value, but cannot find it in any events in Cloud Audit Logs.

Expected behavior

I set a value for request_reason in my GitHub Actions workflow file and validated that authentication works successfully.

I can't find the request_reason field or the value that I set in any my Cloud Audit Logs. Do you know where this should be logged? Do you have an example query I can use in Logs Explorer to find the events?

https://github.com/google-github-actions/auth/blob/c8788cc4c52eba6566baf085281fec298f1a1146/README.md?plain=1#L287-L291

Observed behavior

Unable to find request_reason or the value that I set in any of my Cloud Audit Logs after the GitHub Action authenticates successfully.

Action YAML

name: Workflow 1

on:
  schedule:
  - cron: "5 23 * * *"

  # workflow_dispatch allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

permissions:
  contents: write
  # 'id-token: write' is required to allow GitHub's OIDC provider to create a JSON Web Token for every run
  id-token: write

jobs:
  pull-latest-content:
    runs-on: ubuntu-latest
    
    env:
      LOGGING_LEVEL: ${{ vars.LOGGING_LEVEL }}
      GOOGLE_CLOUD_PROJECT_ID: ${{ vars.GOOGLE_CLOUD_PROJECT_ID }}

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GH_PAT }}

      - uses: google-github-actions/auth@v2
        with:
          project_id: ${{ vars.GOOGLE_CLOUD_PROJECT_ID }}
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          access_token_lifetime: 300
          export_environment_variables: true
          create_credentials_file: true
          cleanup_credentials: true
          request_reason: "GitHub Actions - 123456789"



### Log output

_No response_

### Additional information

_No response_

threat-punter avatar Sep 30 '24 17:09 threat-punter

Hi there @threat-punter :wave:!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

github-actions[bot] avatar Sep 30 '24 17:09 github-actions[bot]

Hi @threat-punter - can you attach the debug logs? That will help me see whether the header is actually being set on the appropriate API call. Have you enabled CAL and DAL?

sethvargo avatar Sep 30 '24 22:09 sethvargo

Hey @threat-punter - any luck after those various changes?

sethvargo avatar Oct 06 '24 14:10 sethvargo

I see X-Goog-Request-Reason is being logged by the GitHub Actions workflow now.

I'm not sure what Data Access audit log setting(s) to enable though so that this is logged in my Google Cloud project. 🤔

threat-punter avatar Oct 07 '24 16:10 threat-punter

It should be sts.googleapis.com

sethvargo avatar Oct 07 '24 20:10 sethvargo

I'll try and find the appropriate setting(s) and report back here. Cheers

threat-punter avatar Oct 09 '24 13:10 threat-punter

I have data access audit logging enabled for the Security Token Service API. I can't find the request reason in my logs. Is it logged for you?

image

threat-punter avatar Oct 10 '24 20:10 threat-punter