serverless-google-cloudfunctions
serverless-google-cloudfunctions copied to clipboard
serverless
The incoming JSON object does not contain a client_email field - github actions - google
Are you certain it's a bug?
- [X] Yes, it looks like a bug
Is the issue caused by a plugin?
- [X] It is not a plugin issue
Are you using the latest version?
- [X] Yes, I'm using the latest version
Is there an existing issue for this?
- [X] I have searched existing issues, it hasn't been reported yet
Issue description
Hi,
I'm trying to set integration with github actions (using Identity federation) to deploy cloud function to GCP but I have not idea why I'm getting error : The incoming JSON object does not contain a client_email field
I've set up roles for service account :
gcloud projects add-iam-policy-binding $PROJECT_ID
--member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com"
--role="roles/cloudfunctions.developer"
gcloud projects add-iam-policy-binding $PROJECT_ID
--member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com"
--role="roles/iam.serviceAccountUser"
My githubactions pipeline:
name: Build and Deploy fun
on:
push:
branches:
- master
paths:
- 'fun/**'
jobs:
build-deploy:
name: Build and Deploy to GCP
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
strategy:
matrix:
node-version: [14.x]
steps:
- name: Checkout
uses: actions/checkout@v2
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/XYZ/locations/global/workloadIdentityPools/github-actions/providers/github'
service_account: '[email protected]'
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: serverless install plugins
uses: serverless/github-action@v3
with:
args: plugin install -n serverless-google-cloudfunctions
- name: serverless deploy
uses: serverless/github-action@v3
with:
args: -c "cd ./fun && serverless deploy"
entrypoint: /bin/sh`
Service configuration (serverless.yml) content
service: cloud-functions
provider:
name: google
runtime: nodejs14
region: us-central1
project: XYZ
plugins:
- serverless-google-cloudfunctions
package:
exclude:
- node_modules/**
- .gitignore
- .git/**
functions:
test:
handler: http
events:
- http: path
Command name and used flags
serverless deploy
Command output
Error:
Error: The incoming JSON object does not contain a client_email field
at JWT.fromJSON (/github/workspace/node_modules/google-auth-library/build/src/auth/jwtclient.js:195:19)
at GoogleAuth._cacheClientFromJSON (/github/workspace/node_modules/google-auth-library/build/src/auth/googleauth.js:301:16)
at ReadStream.<anonymous> (/github/workspace/node_modules/google-auth-library/build/src/auth/googleauth.js:336:40)
at ReadStream.emit (events.js:412:35)
at ReadStream.emit (domain.js:475:12)
at endReadableNT (internal/streams/readable.js:1334:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21)
1 deprecation found: run 'serverless doctor' for more details
Environment information
serverless/github-action@v3
Environment: linux, node 14.19.1, framework 3.14.0, plugin 6.2.2, SDK 4.3.2
If this is happening to you, it could be due to the fact that you might be using a method for authenticating that might not be supported by the google auth library that this plugin is using. In our case we were also using keyless authentication with github actions (with identity federation). Here's the workaround:
Resolve the version of the nested google-auth-library to at least version 7.0 (we went up to the latest version available to date 9.6.3 because the breaking changes seemed inconsequential to us). We are using yarn, so you can do this using package.json resolutions. The github action from google automatically sets environment variables, and the plugin correctly picks them up.
PS: This is unrelated, but might be helpful to somebody. We also had some troubles with the mappings of the attributes. Make sure you have the correct mappings :)
